/** * Rereads the config to get hosts and exclude list file names. * Rereads the files to update the hosts and exclude lists. */ public synchronized void refreshNodes() throws IOException { String user = UserGroupInformation.getCurrentUser().getShortUserName(); // check access if (!aclsManager.isMRAdmin(UserGroupInformation.getCurrentUser())) { AuditLogger.logFailure(user, Constants.REFRESH_NODES, aclsManager.getAdminsAcl().toString(), Constants.JOBTRACKER, Constants.UNAUTHORIZED_USER); throw new AccessControlException(user + " is not authorized to refresh nodes."); } AuditLogger.logSuccess(user, Constants.REFRESH_NODES, Constants.JOBTRACKER); // call the actual api refreshHosts(); }
public boolean setSafeMode(JobTracker.SafeModeAction safeModeAction) throws IOException { String user = UserGroupInformation.getCurrentUser().getShortUserName(); // Anyone can check JT safe-mode if (safeModeAction == SafeModeAction.SAFEMODE_GET) { boolean safeMode = this.safeMode.get(); LOG.info("Getting safemode information: safemode=" + safeMode + ". " + "Requested by : " + UserGroupInformation.getCurrentUser().getShortUserName()); AuditLogger.logSuccess(user, Constants.GET_SAFEMODE, Constants.JOBTRACKER); return safeMode; } // Check access for modifications to safe-mode if (!aclsManager.isMRAdmin(UserGroupInformation.getCurrentUser())) { AuditLogger.logFailure(user, Constants.SET_SAFEMODE, aclsManager.getAdminsAcl().toString(), Constants.JOBTRACKER, Constants.UNAUTHORIZED_USER); throw new AccessControlException(user + " is not authorized to refresh nodes."); } AuditLogger.logSuccess(user, Constants.SET_SAFEMODE, Constants.JOBTRACKER); boolean currSafeMode = setSafeModeInternal(safeModeAction); adminSafeMode.set(currSafeMode); adminSafeModeUser = user; return currSafeMode; }
/** * Check the ACLs for a user doing the passed operation. * <ul> * <li>If ACLs are disabled, allow all users.</li> * <li>If the operation is not a job operation(for eg. submit-job-to-queue), * then allow only (a) clusterOwner(who started the cluster), (b)cluster * administrators and (c) members of queue-submit-job-acl for the queue.</li> * <li>If the operation is a job operation, then allow only (a) jobOwner, * (b) clusterOwner(who started the cluster), (c) cluster administrators, * (d) members of queue admins acl for the queue and (e) members of job * acl for the jobOperation</li> * </ul> * * callerUGI is the user who is trying to perform the operation. * jobAcl could be job-view-acl or job-modify-acl depending on job operation. */ void checkAccess(String jobId, UserGroupInformation callerUGI, String queue, Operation operation, String jobOwner, AccessControlList jobAcl) throws AccessControlException { if (!aclsEnabled) { return; } String user = callerUGI.getShortUserName(); String targetResource = jobId + " in queue " + queue; // Allow mapreduce cluster admins to do any queue operation and // any job operation if (isMRAdmin(callerUGI)) { AuditLogger.logSuccess(user, operation.name(), targetResource); return; } if (operation == Operation.SUBMIT_JOB) { // This is strictly queue operation(not a job operation) if (!queueManager.hasAccess(queue, operation.qACLNeeded, callerUGI)) { AuditLogger.logFailure(user, operation.name(), queueManager.getQueueACL(queue, operation.qACLNeeded).toString(), targetResource, Constants.UNAUTHORIZED_USER); throw new AccessControlException("User " + callerUGI.getShortUserName() + " cannot perform " + "operation " + operation.name() + " on queue " + queue + ".\n Please run \"hadoop queue -showacls\" " + "command to find the queues you have access to ."); } else { AuditLogger.logSuccess(user, operation.name(), targetResource); return; } } // Check if callerUGI is queueAdmin, jobOwner or part of job-acl. // queueManager and queue are null only when called from // TaskTracker(i.e. from TaskLogServlet) for the operation VIEW_TASK_LOGS. // Caller of this method takes care of checking if callerUGI is a // queue administrator for that operation. if (operation == Operation.VIEW_TASK_LOGS) { if (jobACLsManager.checkAccess(callerUGI, operation.jobACLNeeded, jobOwner, jobAcl)) { AuditLogger.logSuccess(user, operation.name(), targetResource); return; } } else if (queueManager.hasAccess(queue, operation.qACLNeeded, callerUGI) || jobACLsManager.checkAccess(callerUGI, operation.jobACLNeeded, jobOwner, jobAcl)) { AuditLogger.logSuccess(user, operation.name(), targetResource); return; } AuditLogger.logFailure(user, operation.name(), jobAcl.toString(), targetResource, Constants.UNAUTHORIZED_USER); throw new AccessControlException("User " + callerUGI.getShortUserName() + " cannot perform operation " + operation.name() + " on " + jobId + " that is in the queue " + queue); }
