diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 992d3ea..ca215ef 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -560,6 +560,11 @@ public static final String DEFAULT_RM_NODEMANAGER_MINIMUM_VERSION = "NONE"; + /** + * RM proxy users' prefix + */ + public static final String RM_PROXY_USER_PREFIX = RM_PREFIX + "proxyuser."; + //////////////////////////////// // Node Manager Configs //////////////////////////////// diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java index f0baf2b..5b28519 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/security/http/RMAuthenticationFilterInitializer.java @@ -35,6 +35,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; +import org.apache.hadoop.security.authorize.ProxyUsers; import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; @@ -49,7 +50,6 @@ public RMAuthenticationFilterInitializer() { this.configPrefix = "hadoop.http.authentication."; - this.proxyPrefix = "yarn.resourcemanager.webapp.proxyuser."; this.signatureSecretFileProperty = AuthenticationFilter.SIGNATURE_SECRET + ".file"; this.kerberosPrincipalProperty = KerberosAuthenticationHandler.PRINCIPAL; @@ -68,9 +68,9 @@ public RMAuthenticationFilterInitializer() { String value = conf.get(propName); String name = propName.substring(configPrefix.length()); filterConfig.put(name, value); - } else if (propName.startsWith(proxyPrefix)) { + } else if (propName.startsWith(ProxyUsers.CONF_HADOOP_PROXYUSER)) { String value = conf.get(propName); - String name = propName.substring("yarn.resourcemanager.webapp.".length()); + String name = propName.substring("hadoop.".length()); filterConfig.put(name, value); } } diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java index 51ed2b1..06b146b 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java @@ -23,7 +23,9 @@ import java.net.InetSocketAddress; import java.security.PrivilegedExceptionAction; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; +import java.util.Map; import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; @@ -212,6 +214,20 @@ protected void serviceInit(Configuration conf) throws Exception { .refresh(); // Do refreshSuperUserGroupsConfiguration with loaded core-site.xml + // Or use RM specific configurations to overwrite the common ones first + // if they exist + Map rmProxyUsers = new HashMap(); + for (Map.Entry entry : conf) { + String propName = entry.getKey(); + if (propName.startsWith(YarnConfiguration.RM_PROXY_USER_PREFIX)) { + rmProxyUsers.put(ProxyUsers.CONF_HADOOP_PROXYUSER + "." + + propName.substring(YarnConfiguration.RM_PROXY_USER_PREFIX.length()), + entry.getValue()); + } + } + for (Map.Entry entry : rmProxyUsers.entrySet()) { + conf.set(entry.getKey(), entry.getValue()); + } ProxyUsers.refreshSuperUserGroupsConfiguration(this.conf); // load yarn-site.xml diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests/src/test/java/org/apache/hadoop/yarn/server/TestRMProxyUsersConf.java hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests/src/test/java/org/apache/hadoop/yarn/server/TestRMProxyUsersConf.java new file mode 100644 index 0000000..7c4de00 --- /dev/null +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-tests/src/test/java/org/apache/hadoop/yarn/server/TestRMProxyUsersConf.java @@ -0,0 +1,104 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.yarn.server; + +import java.util.Arrays; +import java.util.Collection; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.hadoop.security.authorize.ProxyUsers; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.junit.Assert; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +@RunWith(Parameterized.class) +public class TestRMProxyUsersConf { + + private static final UserGroupInformation FOO_USER = + UserGroupInformation.createUserForTesting("foo", new String[] { "foo_group" }); + private static final UserGroupInformation BAR_USER = + UserGroupInformation.createUserForTesting("bar", new String[] { "bar_group" }); + + @Parameterized.Parameters + public static Collection headers() { + return Arrays.asList(new Object[][] { { 0 }, { 1 }, { 2 } }); + } + + private Configuration conf; + + public TestRMProxyUsersConf(int round) { + conf = new YarnConfiguration(); + switch (round) { + case 0: + // hadoop.proxyuser prefix + conf.set("hadoop.proxyuser.foo.hosts", "localhost"); + conf.set("hadoop.proxyuser.foo.users", "bar"); + conf.set("hadoop.proxyuser.foo.groups", "bar_group"); + break; + case 1: + // yarn.timeline-service.http-authentication.proxyuser prefix + conf.set("yarn.resourcemanager.proxyuser.foo.hosts", "localhost"); + conf.set("yarn.resourcemanager.proxyuser.foo.users", "bar"); + conf.set("yarn.resourcemanager.proxyuser.foo.groups", "bar_group"); + break; + case 2: + // hadoop.proxyuser prefix has been overwritten by + // yarn.resourcemanager.proxyuser prefix + conf.set("hadoop.proxyuser.foo.hosts", "xyz"); + conf.set("hadoop.proxyuser.foo.users", "xyz"); + conf.set("hadoop.proxyuser.foo.groups", "xyz"); + conf.set("yarn.resourcemanager.proxyuser.foo.hosts", "localhost"); + conf.set("yarn.resourcemanager.proxyuser.foo.users", "bar"); + conf.set("yarn.resourcemanager.proxyuser.foo.groups", "bar_group"); + break; + default: + break; + } + } + + @Test + public void testProxyUserConfiguration() throws Exception { + MiniYARNCluster yarnCluster = + new MiniYARNCluster(TestRMProxyUsersConf.class.getName(), 0, 0, 0); + try { + yarnCluster.init(conf); + yarnCluster.start(); + // wait for web server starting + Thread.sleep(10000); + UserGroupInformation proxyUser = + UserGroupInformation.createProxyUser( + BAR_USER.getShortUserName(), FOO_USER); + try { + ProxyUsers.getDefaultImpersonationProvider().authorize(proxyUser, + "localhost"); + } catch (AuthorizationException e) { + // Exception is not expected + Assert.fail(); + } + } finally { + yarnCluster.stop(); + yarnCluster.close(); + } + } + +}