diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/ACLsTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/ACLsTestBase.java index ddebaaa7d15..a011c8a8b35 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/ACLsTestBase.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/ACLsTestBase.java @@ -113,5 +113,9 @@ public ApplicationClientProtocol run() throws Exception { return userClient; } + public Configuration getConf() { + return conf; + } + protected abstract Configuration createConfiguration() throws IOException; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/QueueACLsTestBase.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/QueueACLsTestBase.java index 82b3e24eaa2..2273f505e00 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/QueueACLsTestBase.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/QueueACLsTestBase.java @@ -18,9 +18,12 @@ package org.apache.hadoop.yarn.server.resourcemanager; +import java.io.IOException; import java.util.HashMap; import java.util.Map; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.yarn.api.records.QueueACL; import org.junit.Assert; import org.apache.hadoop.security.authorize.AccessControlList; @@ -43,6 +46,19 @@ public abstract class QueueACLsTestBase extends ACLsTestBase { + protected static final String QUEUED = "D"; + protected static final String QUEUED1 = "D1"; + private static final String ALL_ACL = "*"; + private static final String NONE_ACL = " "; + + + abstract public String getQueueD(); + + abstract public String getQueueD1(); + + abstract public void updateConfigWithDAndD1Queues(String rootAcl, + String queueDAcl, String queueD1Acl) throws IOException; + @After public void tearDown() { if (resourceManager != null) { @@ -75,6 +91,82 @@ public void testApplicationACLs() throws Exception { } + @Test + public void testQueueAclRestrictedRootACL() throws IOException { + updateConfigWithDAndD1Queues(NONE_ACL, ALL_ACL, ALL_ACL); + checkAccess(false, true, true); + } + + @Test + public void testQueueAclNoAccess() throws IOException { + updateConfigWithDAndD1Queues(NONE_ACL, NONE_ACL, NONE_ACL); + checkAccess(false, false, false); + } + + @Test + public void testQueueAclRestrictedRootAndD1() throws IOException { + updateConfigWithDAndD1Queues(NONE_ACL, ALL_ACL, NONE_ACL); + checkAccess(false, true, true); + } + + @Test + public void testQueueAclRestrictedRootAndD() throws IOException { + updateConfigWithDAndD1Queues(NONE_ACL, NONE_ACL, ALL_ACL); + checkAccess(false, false, true); + } + + @Test + public void testQueueAclRestrictedD() throws IOException { + updateConfigWithDAndD1Queues(ALL_ACL, NONE_ACL, ALL_ACL); + checkAccess(true, true, true); + } + + @Test + public void testQueueAclRestrictedD1() throws IOException { + updateConfigWithDAndD1Queues(ALL_ACL, ALL_ACL, NONE_ACL); + checkAccess(true, true, true); + } + + @Test + public void testQueueAclDefaultValues() throws IOException { + updateConfigWithDAndD1Queues(null, null, null); + checkAccess(true, true, true); + } + + + private void checkAccess(boolean rootAccess, boolean dAccess, + boolean d1Access) throws IOException { + UserGroupInformation user = UserGroupInformation.getCurrentUser(); + + String failureMsg = "Wrong %s access to %s queue"; + Assert.assertEquals( + String.format(failureMsg, QueueACL.ADMINISTER_QUEUE, "root"), + rootAccess, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.ADMINISTER_QUEUE, "root")); + Assert.assertEquals( + String.format(failureMsg, QueueACL.SUBMIT_APPLICATIONS, "root"), + rootAccess, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.SUBMIT_APPLICATIONS, "root")); + + Assert.assertEquals( + String.format(failureMsg, QueueACL.ADMINISTER_QUEUE, getQueueD()), + dAccess, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.ADMINISTER_QUEUE, getQueueD())); + Assert.assertEquals( + String.format(failureMsg, QueueACL.SUBMIT_APPLICATIONS, getQueueD()), + dAccess, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.SUBMIT_APPLICATIONS, getQueueD())); + + Assert.assertEquals( + String.format(failureMsg, QueueACL.ADMINISTER_QUEUE, getQueueD1()), + d1Access, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.ADMINISTER_QUEUE, getQueueD1())); + Assert.assertEquals( + String.format(failureMsg, QueueACL.SUBMIT_APPLICATIONS, getQueueD1()), + d1Access, resourceManager.getResourceScheduler() + .checkAccess(user, QueueACL.SUBMIT_APPLICATIONS, getQueueD1())); + } + private void verifyGetClientAMToken(String submitter, String queueAdmin, String queueName, boolean setupACLs) throws Exception { ApplicationId applicationId = diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacitySchedulerQueueACLs.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacitySchedulerQueueACLs.java index 5feb94b5879..13524b58025 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacitySchedulerQueueACLs.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/TestCapacitySchedulerQueueACLs.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity; +import java.io.IOException; import java.util.HashMap; import java.util.Map; @@ -71,4 +72,65 @@ protected Configuration createConfiguration() { return csConf; } + + @Override + public String getQueueD() { + return QUEUED; + } + + @Override + public String getQueueD1() { + return QUEUED1; + } + + /** + * Updates the configuration with the following queue hierarchy: + * root + * | + * D + * | + * D1 + * @param rootAcl administer queue and submit application acl for root queue + * @param queueDAcl administer queue and submit application acl for D queue + * @param queueD1Acl administer queue and submit application acl for D1 queue + * @throws IOException + */ + @Override + public void updateConfigWithDAndD1Queues(String rootAcl, String queueDAcl, + String queueD1Acl) throws IOException { + CapacitySchedulerConfiguration csConf = + (CapacitySchedulerConfiguration) getConf(); + csConf.clear(); + csConf.setQueues(CapacitySchedulerConfiguration.ROOT, + new String[] {QUEUED, QUEUEA, QUEUEB}); + + String cPath = CapacitySchedulerConfiguration.ROOT + "." + QUEUED; + String c1Path = cPath + "." + QUEUED1; + csConf.setQueues(cPath, new String[] {QUEUED1}); + csConf.setCapacity(c1Path, 100); + csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + + QUEUEA, 30f); + csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + + QUEUEB, 50f); + csConf.setCapacity(cPath, 20f); + + if (rootAcl != null) { + csConf.setAcl(CapacitySchedulerConfiguration.ROOT, + QueueACL.SUBMIT_APPLICATIONS, rootAcl); + csConf.setAcl(CapacitySchedulerConfiguration.ROOT, + QueueACL.ADMINISTER_QUEUE, rootAcl); + } + + if(queueDAcl != null) { + csConf.setAcl(cPath, QueueACL.ADMINISTER_QUEUE, queueDAcl); + csConf.setAcl(cPath, QueueACL.SUBMIT_APPLICATIONS, queueDAcl); + } + + if(queueD1Acl != null) { + csConf.setAcl(c1Path, QueueACL.ADMINISTER_QUEUE, queueD1Acl); + csConf.setAcl(c1Path, QueueACL.SUBMIT_APPLICATIONS, queueD1Acl); + } + resourceManager.getResourceScheduler() + .reinitialize(csConf, resourceManager.getRMContext()); + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerQueueACLs.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerQueueACLs.java index ad56a209888..edabb91a1f0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerQueueACLs.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/TestFairSchedulerQueueACLs.java @@ -18,8 +18,10 @@ package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair; import java.io.File; +import java.io.IOException; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.test.GenericTestUtils; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.resourcemanager.QueueACLsTestBase; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair @@ -32,8 +34,8 @@ protected Configuration createConfiguration() { FairSchedulerConfiguration fsConf = new FairSchedulerConfiguration(); - final String testDir = new File(System.getProperty("test.build.data", - "/tmp")).getAbsolutePath(); + final String testDir = new File(System.getProperty( + GenericTestUtils.SYSPROP_TEST_DATA_DIR,"/tmp")).getAbsolutePath(); final String allocFile = new File(testDir, "test-queues.xml") .getAbsolutePath(); @@ -57,4 +59,60 @@ protected Configuration createConfiguration() { return fsConf; } + + @Override + public String getQueueD() { + return "root." + QUEUED; + } + + @Override + public String getQueueD1() { + return "root."+ QUEUED + "." + QUEUED1; + } + + /** + * Creates the following queue hierarchy: + * root + * | + * D + * | + * D1 + * @param rootAcl administer queue and submit application acl for root queue + * @param queueDAcl administer queue and submit application acl for D queue + * @param queueD1Acl administer queue and submit application acl for D1 queue + * @throws IOException + */ + @Override + public void updateConfigWithDAndD1Queues(String rootAcl, String queueDAcl, + String queueD1Acl) throws IOException { + FairSchedulerConfiguration fsConf = (FairSchedulerConfiguration) getConf(); + fsConf.clear(); + final String testDir = new File(System.getProperty( + GenericTestUtils.SYSPROP_TEST_DATA_DIR,"/tmp")).getAbsolutePath(); + final String allocFile = new File(testDir, "test-queues.xml") + .getAbsolutePath(); + + AllocationFileWriter.create() + .addQueue(new AllocationFileQueue.Builder("root") + .aclSubmitApps(rootAcl) + .aclAdministerApps(rootAcl) + .subQueue(new AllocationFileQueue.Builder(QUEUED) + .aclAdministerApps(queueDAcl) + .aclSubmitApps(queueDAcl) + .subQueue(new AllocationFileQueue.Builder(QUEUED1) + .aclSubmitApps(queueD1Acl) + .aclAdministerApps(queueD1Acl) + .build()) + .build()) + .build()) + .writeToFile(allocFile); + + fsConf.set(FairSchedulerConfiguration.ALLOCATION_FILE, allocFile); + + fsConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true); + fsConf.set(YarnConfiguration.RM_SCHEDULER, FairScheduler.class.getName()); + resourceManager.getResourceScheduler() + .reinitialize(fsConf, resourceManager.getRMContext()); + + } }