List of usage examples for org.apache.hadoop.security UserGroupInformation isSecurityEnabled
public static boolean isSecurityEnabled()
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
public ControllerServer(Configuration _hconf) throws IOException { this.yConf = new YarnConfiguration(_hconf); yConf.addResource("yarn-site.xml"); UserGroupInformation.setConfiguration(yConf); this.pConf = new PConfiguration(_hconf); //do the Kerberos authentication if (UserGroupInformation.isSecurityEnabled()) { final String principal = pConf.get(PConfiguration.KEY_CONTROLLER_PRINCIPAL); String keytab = pConf.get(PConfiguration.KEY_CONTROLLER_KEYTAB); File fKeytab = new File(keytab); if (!fKeytab.exists()) { if (!fKeytab.isAbsolute()) { keytab = System.getProperty("probos.conf") + '/' + keytab; fKeytab = new File(keytab); pConf.set(PConfiguration.KEY_CONTROLLER_KEYTAB, keytab); }// w w w.j a v a 2s . co m if (!fKeytab.exists()) throw new FileNotFoundException("Could not find keytab file " + keytab); } LOG.debug("Starting login for " + principal + " using keytab " + keytab); SecurityUtil.login(pConf, PConfiguration.KEY_CONTROLLER_KEYTAB, PConfiguration.KEY_CONTROLLER_PRINCIPAL, Utils.getHostname()); LOG.info("Switched principal to " + UserGroupInformation.getCurrentUser().getUserName()); } this.mClient = MailClient.getMailClient(this.pConf); final String bindAddress = pConf.get(PConfiguration.KEY_CONTROLLER_BIND_ADDRESS); if (bindAddress == null) throw new IllegalArgumentException(PConfiguration.KEY_CONTROLLER_BIND_ADDRESS + " cannot be null"); secretManager = new ControllerAPISecretManager( //delegationKeyUpdateInterval //renewal interval for delegation token 7 * 24 * 3600 * 1000, //Yarn default is 7 day //delegationTokenMaxLifetime -- maximum lifetime for which a delegation token is valid //i.e. how long can we keep renewing the token for? 14 * 24 * 3600 * 1000, //Yarn default is 14 days //delegationTokenRenewInterval -- how long should a token last? 7 * 24 * 3600 * 1000, //Yarn default is 7 day //delegationTokenRemoverScanInterval -- how often are expired keys removed? 3600 * 1000); //Yarn default is 1 hour //build the client rpc server: 8027 int port = pConf.getInt(PConfiguration.KEY_CONTROLLER_PORT, 8027); LOG.info("Starting RPC server for " + PBSClient.class.getSimpleName() + " on port " + port); clientRpcserver = new RPC.Builder(yConf).setInstance(this).setBindAddress(bindAddress) .setProtocol(PBSClient.class).setPort(port).setSecretManager(secretManager). //setVerbose(true). build(); System.setProperty("hadoop.policy.file", Constants.PRODUCT_NAME + "-policy.xml"); clientRpcserver.refreshServiceAclWithLoadedConfiguration(yConf, new ControllerPolicyProvider()); //build the master rpc server: 8028 port = Constants.CONTROLLER_MASTER_PORT_OFFSET + pConf.getInt(PConfiguration.KEY_CONTROLLER_PORT, 8027); LOG.info("Starting RPC server for " + PBSMasterClient.class.getSimpleName() + " on port " + port); masterRpcserver = new RPC.Builder(yConf).setInstance(new ApplicationMasterAPI()).setBindAddress(bindAddress) .setProtocol(PBSMasterClient.class).setPort(port).setSecretManager(secretManager). //setVerbose(true). build(); masterRpcserver.refreshServiceAclWithLoadedConfiguration(yConf, new ControllerPolicyProvider()); port = Constants.CONTROLLER_INTERACTIVE_PORT_OFFSET + pConf.getInt(PConfiguration.KEY_CONTROLLER_PORT, 8027); LOG.info("Starting RPC server for " + PBSInteractiveClient.class.getSimpleName() + " on port " + port); //build the interactive rpc server: 8026 interactiveRpcserver = new RPC.Builder(yConf).setInstance(new InteractiveTaskAPI()) .setBindAddress(bindAddress).setProtocol(PBSInteractiveClient.class).setPort(port) .setSecretManager(secretManager). //setVerbose(true). build(); interactiveRpcserver.refreshServiceAclWithLoadedConfiguration(yConf, new ControllerPolicyProvider()); //build the webapp UI server final List<Entry<String, HttpServlet>> controllerServlets = new ArrayList<>(); controllerServlets .add(new MapEntry<String, HttpServlet>("/", new QstatServlet("/", controllerServlets, this))); controllerServlets.add( new MapEntry<String, HttpServlet>("/pbsnodes", new PbsnodesServlet("/", controllerServlets, this))); //metrics is the Servlet from metrics.dropwizard for accessing metrics controllerServlets.add(new MapEntry<String, HttpServlet>("/metrics", new MetricsServlet(metrics))); //this is the hadoop servlet for accessing anything defined in JMX controllerServlets.add(new MapEntry<String, HttpServlet>("/jmx", new JMXJsonServlet())); final int httpport = pConf.getInt(PConfiguration.KEY_CONTROLLER_HTTP_PORT, Constants.DEFAULT_CONTROLLER_PORT + Constants.CONTROLLER_HTTP_PORT_OFFSET); LOG.info("Starting Jetty ProbosControllerHttp on port " + httpport); webServer = new WebServer("ProbosControllerHttp", controllerServlets, httpport); webServer.init(pConf); //this thread detects yarn jobs that have ended watcherThread = new Thread(new ControllerWatcher()); watcherThread.setName(ControllerWatcher.class.getSimpleName()); //ensure we have the directory Path _probosFolder = new Path(pConf.get(PConfiguration.KEY_CONTROLLER_JOBDIR)); FileSystem controllerFS = FileSystem.get(yConf); if (!_probosFolder.isUriPathAbsolute()) { _probosFolder = _probosFolder.makeQualified(controllerFS.getUri(), controllerFS.getWorkingDirectory()); assert _probosFolder.isUriPathAbsolute(); } probosFolder = _probosFolder; if (!controllerFS.exists(probosFolder)) { throw new IllegalArgumentException(probosFolder.toString() + " does not exist"); } //now initialise the metrics //jobs.queued.size metrics.register(MetricRegistry.name(ControllerServer.class, "jobs", "queued.size"), new Gauge<Integer>() { @Override public Integer getValue() { int sum = 0; for (int i : user2QueuedCount.values()) sum += i; return sum; } }); //jobs.size metrics.register(MetricRegistry.name(ControllerServer.class, "jobs", "size"), new Gauge<Integer>() { @Override public Integer getValue() { return jobArray.size(); } }); //jobs.held.size metrics.register(MetricRegistry.name(ControllerServer.class, "jobs", "held.size"), new Gauge<Integer>() { @Override public Integer getValue() { return jobHolds.size(); } }); //nodes.size metrics.register(MetricRegistry.name(ControllerServer.class, "nodes", "size"), new Gauge<Integer>() { @Override public Integer getValue() { try { return getNodesStatus().length; } catch (Exception e) { return 0; } } }); //nodes.free.size metrics.register(MetricRegistry.name(ControllerServer.class, "nodes", "free.size"), new Gauge<Integer>() { @Override public Integer getValue() { try { PBSNodeStatus[] nodes = getNodesStatus(); int count = 0; for (PBSNodeStatus n : nodes) if ("free".equals(n.getState())) count++; return count; } catch (Exception e) { return 0; } } }); runningJobs = metrics.counter(MetricRegistry.name(ControllerServer.class, "jobs", "running.counter")); rejectedJobs = metrics.counter(MetricRegistry.name(ControllerServer.class, "jobs", "rejected.counter")); killedJobs = metrics.counter(MetricRegistry.name(ControllerServer.class, "jobs", "killed.counter")); mailEvents = metrics.counter(MetricRegistry.name(ControllerServer.class, "mails", "counter")); mailFailures = metrics.counter(MetricRegistry.name(ControllerServer.class, "mails", "failure.counter")); }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
protected boolean storeJobScript(final JobInformation ji, final String requestorUserName, final byte[] source) throws IOException { final String jobFolderName = String.valueOf(Math.abs(random.nextInt())); final Path jobFolder = new Path(probosFolder, jobFolderName); final Path script = new Path(probosFolder, jobFolderName + ".SC"); PrivilegedExceptionAction<Path> submitAction = new PrivilegedExceptionAction<Path>() { public Path run() throws Exception { FileSystem fs = FileSystem.get(yConf); fs.mkdirs(jobFolder);/* w w w . ja va2 s . co m*/ OutputStream os = fs.create(script); os.write(source); os.close(); LOG.info("Wrote " + source.length + " bytes to " + script.toString() + " as the job script for job " + ji.jobId); return script; } }; //setuid to the requestor's user id UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(requestorUserName, UserGroupInformation.getLoginUser()); Path rtr = null; try { if (UserGroupInformation.isSecurityEnabled()) rtr = proxyUser.doAs(submitAction); else rtr = submitAction.run(); ji.proxyUser = proxyUser; ji.scriptLocation = rtr; ji.folderLocation = jobFolder; ji.modify(); return true; } catch (Exception e) { LOG.error("Could not store job file!", e); return false; } }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
protected int yarnJob(final JobInformation ji, final String requestorUserName) throws IOException { assert ji.scriptLocation != null; assert ji.folderLocation != null; final PBSJob job = ji.jobSpec; PrivilegedExceptionAction<Integer> submitAction = new PrivilegedExceptionAction<Integer>() { public Integer run() throws Exception { File luaFile = writeJobKittenSpec(job, ji.scriptLocation, ji.jobId, false); Configuration kConf = new Configuration(yConf); kConf.set(LocalDataHelper.APP_BASE_DIR, ji.folderLocation.toUri().toString()); YarnClientParameters params = new LuaYarnClientParameters(luaFile.toString(), Constants.PRODUCT_NAME, kConf, extraLuaValues, extraLocalResources); ji.jobSpec.setQueue(params.getQueue()); Credentials creds = new Credentials(); //create delegation tokens //interactive rpc InetSocketAddress addr = NetUtils.getConnectAddress(interactiveRpcserver); Text host = new Text(addr.getAddress().getHostAddress() + ":" + addr.getPort()); ProbosDelegationTokenIdentifier tokenId = secretManager.createIdentifier(); Token<ProbosDelegationTokenIdentifier> delgationToken = new Token<ProbosDelegationTokenIdentifier>( tokenId, secretManager); delgationToken.setService(host); creds.addToken(host, delgationToken); LOG.info("Interactive: Generated token for " + creds.toString() + " : " + delgationToken); //client rpc tokenId = secretManager.createIdentifier(); delgationToken = new Token<ProbosDelegationTokenIdentifier>(tokenId, secretManager); addr = NetUtils.getConnectAddress(clientRpcserver); host = new Text(addr.getAddress().getHostAddress() + ":" + addr.getPort()); delgationToken.setService(host); creds.addToken(host, delgationToken); LOG.info("Client: Generated token for " + creds.toString() + " : " + delgationToken); //master rpc tokenId = secretManager.createIdentifier(); delgationToken = new Token<ProbosDelegationTokenIdentifier>(tokenId, secretManager); addr = NetUtils.getConnectAddress(masterRpcserver); host = new Text(addr.getAddress().getHostAddress() + ":" + addr.getPort()); delgationToken.setService(host); creds.addToken(host, delgationToken); LOG.info("Master: Generated token for " + creds.toString() + " : " + delgationToken); YarnClientService service = new YarnClientServiceImpl(params, creds); service.startAndWait();//www .j av a 2 s . c o m if (!service.isRunning()) { LOG.error("YarnClientService failed to startup, exiting..."); jobArray.remove(ji.jobId); return ji.jobId; } ji.kitten = service; ji.modify(); return ji.jobId; } }; //setuid to the requestor's user id UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(requestorUserName, UserGroupInformation.getLoginUser()); Integer rtr = null; try { if (UserGroupInformation.isSecurityEnabled()) rtr = proxyUser.doAs(submitAction); else rtr = submitAction.run(); ji.proxyUser = proxyUser; ji.modify(); runningJobs.inc(); return rtr.intValue(); } catch (Exception e) { LOG.error("job did not submit!", e); return -1; } }
From source file:uk.ac.gla.terrier.probos.controller.ControllerServer.java
License:Open Source License
/** Kills the specified job. * @param jobId id of the job to be killed * @return 0 for success, -1 for no such job, -2 for job could not be killed * @throws Exception// w w w . j a v a 2 s .c o m */ @Override public int killJob(final int jobId, boolean purge) throws Exception { UserGroupInformation caller = Server.getRemoteUser(); LOG.info(caller + " asked to kill job " + jobId); if (!jobArray.containsKey(jobId)) return -1; final JobInformation ji = jobArray.get(jobId); checkOwnerOrRoot(ji); UserGroupInformation proxyUser = ji.proxyUser; Integer status; PrivilegedExceptionAction<Integer> doKill = new PrivilegedExceptionAction<Integer>() { public Integer run() throws Exception { final long kill_deadline = System.currentTimeMillis() + pConf.getLong(PConfiguration.KEY_CONTROLLER_KILL_TIMEOUT, 5000); YarnClientService kittenClient = ji.kitten; YarnClient yarnClient = YarnClient.createYarnClient(); yarnClient.init(yConf); yarnClient.start(); yarnClient.killApplication(kittenClient.getApplicationId()); while (!kittenClient.isApplicationFinished()) { Thread.sleep(100); if (System.currentTimeMillis() > kill_deadline) return -2; } return 0; } }; //perform the actual kill, as the user if (UserGroupInformation.isSecurityEnabled()) status = proxyUser.doAs(doKill); else status = doKill.run(); runningJobs.dec(); killedJobs.inc(); //purge, aka qdel -p. //conditional on superuser if (purge) { jobArray.remove(jobId); status = 0; } return status; }
From source file:yarnkit.client.YarnClientService.java
License:Apache License
@Nullable private static ByteBuffer getSecurityToken(@Nonnull Configuration conf) throws IOException { if (!UserGroupInformation.isSecurityEnabled()) { return null; }//from w ww . j a va 2s .c om FileSystem fs = FileSystem.get(conf); Credentials credentials = new Credentials(); String tokenRenewer = conf.get(YarnConfiguration.RM_PRINCIPAL); if (tokenRenewer == null || tokenRenewer.length() == 0) { throw new IOException("Can't get Master Kerberos principal for the RM to use as renewer"); } // For now, only getting tokens for the default file-system. final Token<?> tokens[] = fs.addDelegationTokens(tokenRenewer, credentials); if (tokens != null) { for (Token<?> token : tokens) { LOG.info("Got delegation token for " + fs.getUri() + ": " + token); } } DataOutputBuffer dob = new DataOutputBuffer(); credentials.writeTokenStorageToStream(dob); return ByteBuffer.wrap(dob.getData(), 0, dob.getLength()); }