From 234f0a1bfa9116bba0a7e16223d46642f6910b58 Mon Sep 17 00:00:00 2001 From: Gergely Pollak Date: Fri, 5 Apr 2019 15:12:55 +0200 Subject: [PATCH] YARN-9445. ConfiguredYarnAuthorizer checkPermissionInternal ignored yarn.admin.acl --- .../security/ConfiguredYarnAuthorizer.java | 5 + .../fair/TestFairSchedulerACLAuthorizer.java | 350 ++++++++++++++++++ 2 files changed, 355 insertions(+) create mode 100644 hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerACLAuthorizer.java diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java index 615ecb0106e..1f598581a35 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/ConfiguredYarnAuthorizer.java @@ -70,6 +70,11 @@ public void setPermission(List permissions, private boolean checkPermissionInternal(AccessType accessType, PrivilegedEntity target, UserGroupInformation user) { boolean ret = false; + + if (isAdmin(user) && accessType == AccessType.ADMINISTER_QUEUE) { + return true; + } + Map acls = allAcls.get(target); if (acls != null) { AccessControlList list = acls.get(accessType); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerACLAuthorizer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerACLAuthorizer.java new file mode 100644 index 00000000000..e25fb234e8b --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerACLAuthorizer.java @@ -0,0 +1,350 @@ +package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair; + +import org.apache.commons.lang3.ArrayUtils; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.yarn.api.records.QueueACL; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.junit.Test; + +import java.io.File; +import java.io.FileWriter; +import java.io.IOException; +import java.io.PrintWriter; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertFalse; + +public class TestFairSchedulerACLAuthorizer { + //Global adminACL should be granted for this user + UserGroupInformation userYarnAdmin = + UserGroupInformation.createRemoteUser("userYarnAdmin"); + //Queue level admin ACL be granted for this user + UserGroupInformation userQueueAdmin = + UserGroupInformation.createRemoteUser("userQueueAdmin"); + //Root queue level admin ACL be granted for this user + UserGroupInformation userRootAdmin = + UserGroupInformation.createRemoteUser("userRootAdmin"); + //Root queue level submit ACL be granted for this user + UserGroupInformation userRootSimpleton = + UserGroupInformation.createRemoteUser("userRootSimpleton"); + //Queue level level submit ACL be granted for this user + UserGroupInformation userSimpleton = + UserGroupInformation.createRemoteUser("userSimpleton"); + + //List for all users, for easier assertions + UserGroupInformation usersAll[] = new UserGroupInformation[] { + userYarnAdmin, + userQueueAdmin, + userRootAdmin, + userRootSimpleton, + userSimpleton, + }; + + protected String generateAllocation() throws IOException { + final String TEST_DIR = new File(System.getProperty("test.build.data", + "/tmp")).getAbsolutePath(); + + final String ALLOC_FILE = new File(TEST_DIR, "test-queues.xml") + .getAbsolutePath(); + System.out.println(ALLOC_FILE); + PrintWriter out = new PrintWriter(new FileWriter(ALLOC_FILE)); + out.println(""); + out.println(""); + out.println(""); + out.println(" userRootSimpleton "); + out.println(" userRootAdmin "); + out.println(" "); + out.println(" userSimpleton "); + out.println(" userQueueAdmin "); + out.println(" "); + out.println(" "); + out.println(" userSimpleton "); + out.println(" "); + out.println(" "); + out.println(" "); + out.println(" "); + out.println(" userQueueAdmin "); + out.println(" "); + out.println(" "); + out.println(" "); + out.println(" "); + out.println(" "); + out.println(""); + out.println(""); + out.close(); + + return ALLOC_FILE; + } + + void assertHasAccess(FSQueue queue, + QueueACL aclLevel, + UserGroupInformation[] usersWithAccess, + UserGroupInformation[] allUsers) + { + for (UserGroupInformation user : allUsers) { + if (ArrayUtils.contains(usersWithAccess, user)) { + assertTrue(queue.hasAccess(aclLevel, user)); + } else { + assertFalse(queue.hasAccess(aclLevel, user)); + } + } + } + + void assertHasAccess(FSQueue queue, QueueACL aclLevel, + UserGroupInformation[] usersWithAccess) { + assertHasAccess(queue, aclLevel, usersWithAccess, usersAll); + } + + @Test + public void testQueueACLWithGlobalAdminPresent() throws Exception { + FairSchedulerConfiguration fsConf = new FairSchedulerConfiguration(); + + //enabling ACL + fsConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); + //setting scheduler to fair + fsConf.set(YarnConfiguration.RM_SCHEDULER, FairScheduler.class.getName()); + //setting the queue allocation + fsConf.set(FairSchedulerConfiguration.ALLOCATION_FILE, + generateAllocation()); + //Setting the "global" YARN admin + fsConf.set(YarnConfiguration.YARN_ADMIN_ACL, "userYarnAdmin"); + + FairScheduler fs = new FairScheduler(); + fs.serviceInit(fsConf); + QueueManager qm = fs.getQueueManager(); + + //Testing admin permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userYarnAdmin, userQueueAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userYarnAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userYarnAdmin, userQueueAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userYarnAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + } + + @Test + public void testQueueACLWithNOGlobalAdminPresent() throws Exception { + FairSchedulerConfiguration fsConf = new FairSchedulerConfiguration(); + + //enabling ACL + fsConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); + //setting scheduler to fair + fsConf.set(YarnConfiguration.RM_SCHEDULER, FairScheduler.class.getName()); + //setting the queue allocation + fsConf.set(FairSchedulerConfiguration.ALLOCATION_FILE, + generateAllocation()); + //Disabling the "global" YARN admin + fsConf.set(YarnConfiguration.YARN_ADMIN_ACL, " "); + + FairScheduler fs = new FairScheduler(); + fs.serviceInit(fsConf); + QueueManager qm = fs.getQueueManager(); + + //Testing admin permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userQueueAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userRootAdmin + } + ); + //Testing submit permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userQueueAdmin, userRootAdmin + } + ); + //Testing submit permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + new UserGroupInformation[]{ + userRootAdmin + } + ); + //Testing submit permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + } + + @Test + public void testQueueACLWithAsteriskGlobalAdmin() throws Exception { + FairSchedulerConfiguration fsConf = new FairSchedulerConfiguration(); + + //enabling ACL + fsConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); + //setting scheduler to fair + fsConf.set(YarnConfiguration.RM_SCHEDULER, FairScheduler.class.getName()); + //setting the queue allocation + fsConf.set(FairSchedulerConfiguration.ALLOCATION_FILE, + generateAllocation()); + //Making everyone global yarn admin + fsConf.set(YarnConfiguration.YARN_ADMIN_ACL, "*"); + + FairScheduler fs = new FairScheduler(); + fs.serviceInit(fsConf); + QueueManager qm = fs.getQueueManager(); + + //Testing admin permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.ADMINISTER_QUEUE, + usersAll + ); + //Testing submit permissions for queue WITH admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_Admin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.ADMINISTER_QUEUE, + usersAll + ); + //Testing submit permissions for queue WITH NO admin and WITH user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_User"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton, userSimpleton + } + ); + + //Testing admin permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + usersAll + ); + //Testing submit permissions for queue WITH admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_Admin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + + //Testing admin permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.ADMINISTER_QUEUE, + usersAll + ); + //Testing submit permissions for queue WITH NO admin and WITH NO user + assertHasAccess( + qm.getQueue("root.queue_NOAdmin_NOUser"), + QueueACL.SUBMIT_APPLICATIONS, + new UserGroupInformation[]{ + userRootSimpleton + } + ); + } +} -- 2.17.2 (Apple Git-113)