diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java index 6c1be0e34a0..a3a477f1f23 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java @@ -3819,6 +3819,10 @@ public static boolean isAclEnabled(Configuration conf) { public static final String ROUTER_PREFIX = YARN_PREFIX + "router."; + public static final String ROUTER_KEYTAB = ROUTER_PREFIX + "keytab"; + + public static final String ROUTER_PRINCIPAL = ROUTER_PREFIX + "principal"; + public static final String ROUTER_BIND_HOST = ROUTER_PREFIX + "bind-host"; public static final String ROUTER_CLIENTRM_PREFIX = diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml index 47f123918b6..ece53a83a3f 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml @@ -3953,6 +3953,17 @@ false + + The keytab for the router. + yarn.router.keytab + /etc/krb5.keytab + + + + The Kerberos principal for the router. + yarn.router.principal + + The comma separated list of class names that implement the diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/uam/UnmanagedApplicationManager.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/uam/UnmanagedApplicationManager.java index 47d78309466..24e3ff91102 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/uam/UnmanagedApplicationManager.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-common/src/main/java/org/apache/hadoop/yarn/server/uam/UnmanagedApplicationManager.java @@ -382,8 +382,14 @@ public AMRMClientRelayer getAMRMClientRelayer() { protected Token initializeUnmanagedAM( ApplicationId appId) throws IOException, YarnException { try { - UserGroupInformation appSubmitter = - UserGroupInformation.createRemoteUser(this.submitter); + UserGroupInformation appSubmitter; + if (UserGroupInformation.isSecurityEnabled()) { + appSubmitter = + UserGroupInformation.createProxyUser(this.submitter, UserGroupInformation.getLoginUser()); + } else { + appSubmitter = + UserGroupInformation.createRemoteUser(this.submitter); + } this.rmClient = createRMProxy(ApplicationClientProtocol.class, this.conf, appSubmitter, null); diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/pom.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/pom.xml index d29929047af..aa808801df4 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/pom.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/pom.xml @@ -116,6 +116,19 @@ guice + + org.apache.hadoop + hadoop-minikdc + test + + + + org.apache.hadoop + hadoop-auth + test + test-jar + + diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java index eb7b71d54ed..f30ec6160e5 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/Router.java @@ -25,6 +25,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem; import org.apache.hadoop.metrics2.source.JvmMetrics; +import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.service.CompositeService; import org.apache.hadoop.util.JvmPauseMonitor; import org.apache.hadoop.util.ShutdownHookManager; @@ -88,7 +89,7 @@ public Router() { } protected void doSecureLogin() throws IOException { - // TODO YARN-6539 Create SecureLogin inside Router + SecurityUtil.login(this.conf, YarnConfiguration.ROUTER_KEYTAB, YarnConfiguration.ROUTER_PRINCIPAL); } @Override diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/AbstractClientRequestInterceptor.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/AbstractClientRequestInterceptor.java index 01ba3bdcadf..ddbbb1dcdb4 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/AbstractClientRequestInterceptor.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/clientrm/AbstractClientRequestInterceptor.java @@ -106,12 +106,17 @@ private void setupUser(String userName) { try { // Do not create a proxy user if user name matches the user name on // current UGI - if (userName.equalsIgnoreCase( - UserGroupInformation.getCurrentUser().getUserName())) { - user = UserGroupInformation.getCurrentUser(); - } else { + if (UserGroupInformation.isSecurityEnabled()) { user = UserGroupInformation.createProxyUser(userName, - UserGroupInformation.getCurrentUser()); + UserGroupInformation.getLoginUser()); + } else { + if (userName.equalsIgnoreCase( + UserGroupInformation.getCurrentUser().getUserName())) { + user = UserGroupInformation.getCurrentUser(); + } else { + user = UserGroupInformation.createProxyUser(userName, + UserGroupInformation.getCurrentUser()); + } } } catch (IOException e) { String message = "Error while creating Router ClientRM Service for user:"; diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/security/TestSecureLogin.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/security/TestSecureLogin.java new file mode 100644 index 00000000000..f38cd013fd2 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/test/java/org/apache/hadoop/yarn/server/router/security/TestSecureLogin.java @@ -0,0 +1,72 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.yarn.server.router.security; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.CommonConfigurationKeysPublic; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.apache.hadoop.yarn.server.router.Router; +import org.junit.BeforeClass; +import org.apache.hadoop.minikdc.MiniKdc; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.apache.hadoop.security.authentication.KerberosTestUtils; +import java.io.File; +import static org.junit.Assert.assertTrue; + +public class TestSecureLogin { + protected static Logger LOG = + LoggerFactory.getLogger(TestSecureLogin.class); + + private static final File testRootDir = new File("target", + TestSecureLogin.class.getName() + "-root"); + private static File routerKeytabFile = new File( + KerberosTestUtils.getKeytabFile()); + + private static MiniKdc testMiniKDC; + private static Router router; + private static Configuration conf; + + @BeforeClass + public static void setUp() { + try { + testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir); + testMiniKDC.start(); + testMiniKDC.createPrincipal(routerKeytabFile, "yarn/localhost"); + } catch (Exception e) { + assertTrue("Couldn't setup MiniKDC", false); + } + } + + @Test + public void testRouterSecureLogin() { + conf = new YarnConfiguration(); + conf.set(YarnConfiguration.ROUTER_BIND_HOST, "0.0.0.0"); + conf.set(YarnConfiguration.ROUTER_CLIENTRM_INTERCEPTOR_CLASS_PIPELINE, "org.apache.hadoop.yarn.server.router.clientrm.FederationClientInterceptor"); + conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); + conf.set("yarn.router.principal", "yarn/localhost@EXAMPLE.COM"); + conf.set("yarn.router.keytab", routerKeytabFile.getAbsolutePath()); + UserGroupInformation.setConfiguration(conf); + router = new Router(); + router.init(conf); + router.start(); + } +}