From 1295619aa15a582d8b4259d5fdb8ddf15fd7c0b1 Mon Sep 17 00:00:00 2001 From: jutia Date: Tue, 4 Aug 2020 16:38:18 +0800 Subject: [PATCH] Add FORBID_SUBMIT_APPLICATIONS permission --- .../org/apache/hadoop/yarn/api/records/QueueACL.java | 5 +++++ .../hadoop-yarn-api/src/main/proto/yarn_protos.proto | 1 + .../org/apache/hadoop/yarn/security/AccessType.java | 1 + .../yarn/server/resourcemanager/RMAppManager.java | 10 ++++++++++ .../resourcemanager/scheduler/SchedulerUtils.java | 2 ++ .../capacity/CapacitySchedulerConfiguration.java | 4 ++++ 6 files changed, 23 insertions(+) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java index 585faf86d5f..499be1d766e 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/api/records/QueueACL.java @@ -48,4 +48,9 @@ * ACL to administer the queue. */ ADMINISTER_QUEUE, + + /** + * ACL to forbid submitting applications to the queue. + */ + FORBID_SUBMIT_APPLICATIONS, } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto index d7ca2a563ea..f1964363b7d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/proto/yarn_protos.proto @@ -631,6 +631,7 @@ message QueueConfigurationsMapProto { enum QueueACLProto { QACL_SUBMIT_APPLICATIONS = 1; QACL_ADMINISTER_QUEUE = 2; + QACL_FORBID_SUBMIT_APPLICATIONS = 3; } message QueueUserACLInfoProto { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java index fb4484bc638..3c67d64d410 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/security/AccessType.java @@ -30,6 +30,7 @@ // queue SUBMIT_APP, ADMINISTER_QUEUE, + FORBID_SUBMIT_APP, // application APPLICATION_MAX_PRIORITY, } \ No newline at end of file diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java index 440b0ea6717..c784f08bafb 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/RMAppManager.java @@ -472,6 +472,16 @@ private RMAppImpl createAndPopulateNewRMApp( + applicationId + " to queue " + submissionContext.getQueue())); } + if (null != csqueue && authorizer.checkPermission( + new AccessRequest(csqueue.getPrivilegedEntity(), userUgi, + SchedulerUtils.toAccessType(QueueACL.FORBID_SUBMIT_APPLICATIONS), + applicationId.toString(), appName, Server.getRemoteAddress(), + null))) { + throw RPCUtil.getRemoteException(new AccessControlException( + "User " + user + " is forbidden to submit " + applicationId + + " to queue " + submissionContext.getQueue())); + } + } if (scheduler instanceof FairScheduler) { // if we have not placed the app just skip this, the submit will be diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java index 7ec1c33346b..4bc84f05d0c 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/SchedulerUtils.java @@ -560,6 +560,8 @@ public static AccessType toAccessType(QueueACL acl) { return AccessType.ADMINISTER_QUEUE; case SUBMIT_APPLICATIONS: return AccessType.SUBMIT_APP; + case FORBID_SUBMIT_APPLICATIONS: + return AccessType.FORBID_SUBMIT_APP; } return null; } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java index 3bebb44a6f6..5919832612f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/capacity/CapacitySchedulerConfiguration.java @@ -790,6 +790,10 @@ public AccessControlList getAcl(String queue, QueueACL acl) { // The root queue defaults to all access if not defined // Sub queues inherit access if not defined String defaultAcl = queue.equals(ROOT) ? ALL_ACL : NONE_ACL; + if (acl == QueueACL.FORBID_SUBMIT_APPLICATIONS) { + defaultAcl = NONE_ACL; + } + String aclString = get(queuePrefix + getAclKey(acl), defaultAcl); return new AccessControlList(aclString); } -- 2.21.0.windows.1