Java Code Examples for org.apache.hadoop.security.authorize.AccessControlList#addUser()

private Map<ApplicationAccessType, String> createACLs(String submitter,
    boolean setupACLs) {
  AccessControlList viewACL = new AccessControlList("");
  AccessControlList modifyACL = new AccessControlList("");
  if (setupACLs) {
    viewACL.addUser(submitter);
    viewACL.addUser(COMMON_USER);
    modifyACL.addUser(submitter);
    modifyACL.addUser(COMMON_USER);
  }
  Map<ApplicationAccessType, String> acls =
      new HashMap<ApplicationAccessType, String>();
  acls.put(ApplicationAccessType.VIEW_APP, viewACL.getAclString());
  acls.put(ApplicationAccessType.MODIFY_APP, modifyACL.getAclString());
  return acls;
}
 

private Map<ApplicationAccessType, String> createACLs(String submitter,
    boolean setupACLs) {
  AccessControlList viewACL = new AccessControlList("");
  AccessControlList modifyACL = new AccessControlList("");
  if (setupACLs) {
    viewACL.addUser(submitter);
    viewACL.addUser(COMMON_USER);
    modifyACL.addUser(submitter);
    modifyACL.addUser(COMMON_USER);
  }
  Map<ApplicationAccessType, String> acls =
      new HashMap<ApplicationAccessType, String>();
  acls.put(ApplicationAccessType.VIEW_APP, viewACL.getAclString());
  acls.put(ApplicationAccessType.MODIFY_APP, modifyACL.getAclString());
  return acls;
}
 

private AccessControlList getAdminAclList(Configuration conf) {
  AccessControlList aclList =
      new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  aclList.addUser(daemonUser.getShortUserName());
  return aclList;
}
 

private void verifyOwnerAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    // View as owner
    rmClient.getApplicationReport(appReportRequest);

    // List apps as owner
    Assert.assertEquals("App view by owner should list the apps!!", 1,
        rmClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as owner
    rmClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifySuperUserAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);

    // View as the superUser
    superUserClient.getApplicationReport(appReportRequest);

    // List apps as superUser
    Assert.assertEquals("App view by super-user should list the apps!!", 2,
        superUserClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the superUser
    superUserClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifyFriendAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);

    // View as the friend
    friendClient.getApplicationReport(appReportRequest);

    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3,
        friendClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifyAdministerQueueUserAccess() throws Exception {
  isQueueUser = true;
  AccessControlList viewACL = new AccessControlList("");
  viewACL.addGroup(FRIENDLY_GROUP);
  AccessControlList modifyACL = new AccessControlList("");
  modifyACL.addUser(FRIEND);
  ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

  final GetApplicationReportRequest appReportRequest = recordFactory
      .newRecordInstance(GetApplicationReportRequest.class);
  appReportRequest.setApplicationId(applicationId);
  final KillApplicationRequest finishAppRequest = recordFactory
      .newRecordInstance(KillApplicationRequest.class);
  finishAppRequest.setApplicationId(applicationId);

  ApplicationClientProtocol administerQueueUserRmClient =
      getRMClientForUser(QUEUE_ADMIN_USER);

  // View as the administerQueueUserRmClient
  administerQueueUserRmClient.getApplicationReport(appReportRequest);

  // List apps as administerQueueUserRmClient
  Assert.assertEquals("App view by queue-admin-user should list the apps!!",
      5, administerQueueUserRmClient.getApplications(
             recordFactory.newRecordInstance(GetApplicationsRequest.class))
             .getApplicationList().size());

  // Kill app as the administerQueueUserRmClient
  administerQueueUserRmClient.forceKillApplication(finishAppRequest);
  resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
 

private AccessControlList getAdminAclList(Configuration conf) {
  AccessControlList aclList =
      new AccessControlList(conf.get(YarnConfiguration.YARN_ADMIN_ACL,
        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL));
  aclList.addUser(daemonUser.getShortUserName());
  return aclList;
}
 

private void verifyOwnerAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    // View as owner
    rmClient.getApplicationReport(appReportRequest);

    // List apps as owner
    Assert.assertEquals("App view by owner should list the apps!!", 1,
        rmClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as owner
    rmClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifySuperUserAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol superUserClient = getRMClientForUser(SUPER_USER);

    // View as the superUser
    superUserClient.getApplicationReport(appReportRequest);

    // List apps as superUser
    Assert.assertEquals("App view by super-user should list the apps!!", 2,
        superUserClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the superUser
    superUserClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifyFriendAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol friendClient = getRMClientForUser(FRIEND);

    // View as the friend
    friendClient.getApplicationReport(appReportRequest);

    // List apps as friend
    Assert.assertEquals("App view by a friend should list the apps!!", 3,
        friendClient.getApplications(
            recordFactory.newRecordInstance(GetApplicationsRequest.class))
            .getApplicationList().size());

    // Kill app as the friend
    friendClient.forceKillApplication(finishAppRequest);
    resourceManager.waitForState(applicationId, RMAppState.KILLED);
  }
 

private void verifyAdministerQueueUserAccess() throws Exception {
  isQueueUser = true;
  AccessControlList viewACL = new AccessControlList("");
  viewACL.addGroup(FRIENDLY_GROUP);
  AccessControlList modifyACL = new AccessControlList("");
  modifyACL.addUser(FRIEND);
  ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

  final GetApplicationReportRequest appReportRequest = recordFactory
      .newRecordInstance(GetApplicationReportRequest.class);
  appReportRequest.setApplicationId(applicationId);
  final KillApplicationRequest finishAppRequest = recordFactory
      .newRecordInstance(KillApplicationRequest.class);
  finishAppRequest.setApplicationId(applicationId);

  ApplicationClientProtocol administerQueueUserRmClient =
      getRMClientForUser(QUEUE_ADMIN_USER);

  // View as the administerQueueUserRmClient
  administerQueueUserRmClient.getApplicationReport(appReportRequest);

  // List apps as administerQueueUserRmClient
  Assert.assertEquals("App view by queue-admin-user should list the apps!!",
      5, administerQueueUserRmClient.getApplications(
             recordFactory.newRecordInstance(GetApplicationsRequest.class))
             .getApplicationList().size());

  // Kill app as the administerQueueUserRmClient
  administerQueueUserRmClient.forceKillApplication(finishAppRequest);
  resourceManager.waitForState(applicationId, RMAppState.KILLED);
}
 

private void verifyEnemyAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol enemyRmClient = getRMClientForUser(ENEMY);

    // View as the enemy
    ApplicationReport appReport = enemyRmClient.getApplicationReport(
        appReportRequest).getApplicationReport();
    verifyEnemyAppReport(appReport);

    // List apps as enemy
    List<ApplicationReport> appReports = enemyRmClient
        .getApplications(recordFactory
            .newRecordInstance(GetApplicationsRequest.class))
        .getApplicationList();
    Assert.assertEquals("App view by enemy should list the apps!!", 4,
        appReports.size());
    for (ApplicationReport report : appReports) {
      verifyEnemyAppReport(report);
    }

    // Kill app as the enemy
    try {
      enemyRmClient.forceKillApplication(finishAppRequest);
      Assert.fail("App killing by the enemy should fail!!");
    } catch (YarnException e) {
      LOG.info("Got exception while killing app as the enemy", e);
      Assert
          .assertTrue(e.getMessage().contains(
              "User enemy cannot perform operation MODIFY_APP on "
                  + applicationId));
    }

    rmClient.forceKillApplication(finishAppRequest);
  }
 

@Override
protected Configuration createConfiguration() {
  CapacitySchedulerConfiguration csConf =
      new CapacitySchedulerConfiguration();
  csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] {
      QUEUEA, QUEUEB });

  csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + QUEUEA, 50f);
  csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + QUEUEB, 50f);

  Map<QueueACL, AccessControlList> aclsOnQueueA =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonQueueA = new AccessControlList(QUEUE_A_USER);
  submitACLonQueueA.addUser(COMMON_USER);
  AccessControlList adminACLonQueueA = new AccessControlList(QUEUE_A_ADMIN);
  aclsOnQueueA.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonQueueA);
  aclsOnQueueA.put(QueueACL.ADMINISTER_QUEUE, adminACLonQueueA);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT + "." + QUEUEA,
    aclsOnQueueA);

  Map<QueueACL, AccessControlList> aclsOnQueueB =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonQueueB = new AccessControlList(QUEUE_B_USER);
  submitACLonQueueB.addUser(COMMON_USER);
  AccessControlList adminACLonQueueB = new AccessControlList(QUEUE_B_ADMIN);
  aclsOnQueueB.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonQueueB);
  aclsOnQueueB.put(QueueACL.ADMINISTER_QUEUE, adminACLonQueueB);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT + "." + QUEUEB,
    aclsOnQueueB);

  Map<QueueACL, AccessControlList> aclsOnRootQueue =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonRoot = new AccessControlList("");
  AccessControlList adminACLonRoot = new AccessControlList(ROOT_ADMIN);
  aclsOnRootQueue.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonRoot);
  aclsOnRootQueue.put(QueueACL.ADMINISTER_QUEUE, adminACLonRoot);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT, aclsOnRootQueue);

  csConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
  csConf.set("yarn.resourcemanager.scheduler.class", CapacityScheduler.class.getName());

  return csConf;
}
 

private void verifyEnemyAccess() throws Exception {

    AccessControlList viewACL = new AccessControlList("");
    viewACL.addGroup(FRIENDLY_GROUP);
    AccessControlList modifyACL = new AccessControlList("");
    modifyACL.addUser(FRIEND);
    ApplicationId applicationId = submitAppAndGetAppId(viewACL, modifyACL);

    final GetApplicationReportRequest appReportRequest = recordFactory
        .newRecordInstance(GetApplicationReportRequest.class);
    appReportRequest.setApplicationId(applicationId);
    final KillApplicationRequest finishAppRequest = recordFactory
        .newRecordInstance(KillApplicationRequest.class);
    finishAppRequest.setApplicationId(applicationId);

    ApplicationClientProtocol enemyRmClient = getRMClientForUser(ENEMY);

    // View as the enemy
    ApplicationReport appReport = enemyRmClient.getApplicationReport(
        appReportRequest).getApplicationReport();
    verifyEnemyAppReport(appReport);

    // List apps as enemy
    List<ApplicationReport> appReports = enemyRmClient
        .getApplications(recordFactory
            .newRecordInstance(GetApplicationsRequest.class))
        .getApplicationList();
    Assert.assertEquals("App view by enemy should list the apps!!", 4,
        appReports.size());
    for (ApplicationReport report : appReports) {
      verifyEnemyAppReport(report);
    }

    // Kill app as the enemy
    try {
      enemyRmClient.forceKillApplication(finishAppRequest);
      Assert.fail("App killing by the enemy should fail!!");
    } catch (YarnException e) {
      LOG.info("Got exception while killing app as the enemy", e);
      Assert
          .assertTrue(e.getMessage().contains(
              "User enemy cannot perform operation MODIFY_APP on "
                  + applicationId));
    }

    rmClient.forceKillApplication(finishAppRequest);
  }
 

@Override
protected Configuration createConfiguration() {
  CapacitySchedulerConfiguration csConf =
      new CapacitySchedulerConfiguration();
  csConf.setQueues(CapacitySchedulerConfiguration.ROOT, new String[] {
      QUEUEA, QUEUEB });

  csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + QUEUEA, 50f);
  csConf.setCapacity(CapacitySchedulerConfiguration.ROOT + "." + QUEUEB, 50f);

  Map<QueueACL, AccessControlList> aclsOnQueueA =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonQueueA = new AccessControlList(QUEUE_A_USER);
  submitACLonQueueA.addUser(COMMON_USER);
  AccessControlList adminACLonQueueA = new AccessControlList(QUEUE_A_ADMIN);
  aclsOnQueueA.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonQueueA);
  aclsOnQueueA.put(QueueACL.ADMINISTER_QUEUE, adminACLonQueueA);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT + "." + QUEUEA,
    aclsOnQueueA);

  Map<QueueACL, AccessControlList> aclsOnQueueB =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonQueueB = new AccessControlList(QUEUE_B_USER);
  submitACLonQueueB.addUser(COMMON_USER);
  AccessControlList adminACLonQueueB = new AccessControlList(QUEUE_B_ADMIN);
  aclsOnQueueB.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonQueueB);
  aclsOnQueueB.put(QueueACL.ADMINISTER_QUEUE, adminACLonQueueB);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT + "." + QUEUEB,
    aclsOnQueueB);

  Map<QueueACL, AccessControlList> aclsOnRootQueue =
      new HashMap<QueueACL, AccessControlList>();
  AccessControlList submitACLonRoot = new AccessControlList("");
  AccessControlList adminACLonRoot = new AccessControlList(ROOT_ADMIN);
  aclsOnRootQueue.put(QueueACL.SUBMIT_APPLICATIONS, submitACLonRoot);
  aclsOnRootQueue.put(QueueACL.ADMINISTER_QUEUE, adminACLonRoot);
  csConf.setAcls(CapacitySchedulerConfiguration.ROOT, aclsOnRootQueue);

  csConf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
  csConf.set("yarn.resourcemanager.scheduler.class", CapacityScheduler.class.getName());

  return csConf;
}