This project has retired. For details please refer to its Attic page.
Source code 
001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.reef.runtime.yarn.client.unmanaged;
020
021import org.apache.hadoop.security.UserGroupInformation;
022import org.apache.hadoop.security.token.Token;
023import org.apache.hadoop.security.token.TokenIdentifier;
024import org.apache.reef.annotations.audience.ClientSide;
025import org.apache.reef.annotations.audience.DriverSide;
026import org.apache.reef.annotations.audience.Private;
027import org.apache.reef.runtime.common.UserCredentials;
028
029import javax.inject.Inject;
030import java.io.IOException;
031import java.security.PrivilegedExceptionAction;
032import java.util.Collection;
033import java.util.logging.Level;
034import java.util.logging.Logger;
035
036/**
037 * A holder class for the proxy UserGroupInformation object
038 * required for Unmanaged YARN Application Master in REEF-on-REEF or REEF-on-Spark mode.
039 */
040@Private
041@ClientSide
042@DriverSide
043public final class YarnProxyUser implements UserCredentials {
044
045  private static final Logger LOG = Logger.getLogger(YarnProxyUser.class.getName());
046
047  private UserGroupInformation proxyUGI = null;
048
049  @Inject
050  private YarnProxyUser() { }
051
052  /**
053   * Get the YARN proxy user information. If not set, return the (global) current user.
054   * @return Proxy user group information, if set; otherwise, return current YARN user.
055   * @throws IOException if proxy user is not set AND unable to obtain current YARN user information.
056   */
057  public UserGroupInformation get() throws IOException {
058
059    final UserGroupInformation effectiveUGI =
060        this.proxyUGI == null ? UserGroupInformation.getCurrentUser() : this.proxyUGI;
061
062    if (LOG.isLoggable(Level.FINEST)) {
063      LOG.log(Level.FINEST, "UGI: get: {0}", ugiToString("EFFECTIVE", effectiveUGI));
064    }
065
066    return effectiveUGI;
067  }
068
069  /**
070   * Check if the proxy user is set.
071   * @return true if proxy user set, false otherwise.
072   */
073  @Override
074  public boolean isSet() {
075    return this.proxyUGI != null;
076  }
077
078  /**
079   * Set YARN user. This method can be called only once per class instance.
080   * @param name Name of the new proxy user.
081   * @param hostUser User credentials to copy. Must be an instance of YarnProxyUser.
082   */
083  @Override
084  public void set(final String name, final UserCredentials hostUser) throws IOException {
085
086    assert this.proxyUGI == null;
087    assert hostUser instanceof YarnProxyUser;
088
089    LOG.log(Level.FINE, "UGI: user {0} copy from: {1}", new Object[] {name, hostUser});
090
091    final UserGroupInformation hostUGI = ((YarnProxyUser) hostUser).get();
092    final Collection<Token<? extends TokenIdentifier>> tokens = hostUGI.getCredentials().getAllTokens();
093
094    this.set(name, hostUGI, tokens.toArray(new Token[tokens.size()]));
095  }
096
097  /**
098   * Create YARN proxy user and add security tokens to its credentials.
099   * This method can be called only once per class instance.
100   * @param proxyName Name of the new proxy user.
101   * @param hostUGI YARN user to impersonate the proxy.
102   * @param tokens Security tokens to add to the new proxy user's credentials.
103   */
104  @SafeVarargs
105  public final void set(final String proxyName,
106      final UserGroupInformation hostUGI, final Token<? extends TokenIdentifier>... tokens) {
107
108    assert this.proxyUGI == null;
109    this.proxyUGI = UserGroupInformation.createProxyUser(proxyName, hostUGI);
110
111    for (final Token<? extends TokenIdentifier> token : tokens) {
112      this.proxyUGI.addToken(token);
113    }
114
115    LOG.log(Level.FINE, "UGI: user {0} set to: {1}", new Object[] {proxyName, this});
116  }
117
118  /**
119   * Execute the privileged action as a given user.
120   * If user credentials are not set, execute the action outside the user context.
121   * @param action an action to run.
122   * @param <T> action return type.
123   * @return result of an action.
124   * @throws Exception whatever the action can throw.
125   */
126  public <T> T doAs(final PrivilegedExceptionAction<T> action) throws Exception {
127    LOG.log(Level.FINE, "{0} execute {1}", new Object[] {this, action});
128    return this.proxyUGI == null ? action.run() : this.proxyUGI.doAs(action);
129  }
130
131  @Override
132  public String toString() {
133    return this.proxyUGI == null ? "UGI: { CURRENT user: null }" : ugiToString("PROXY", this.proxyUGI);
134  }
135
136  private static String ugiToString(final String prefix, final UserGroupInformation ugi) {
137    return String.format("UGI: { %s user: %s tokens: %s }", prefix, ugi, ugi.getCredentials().getAllTokens());
138  }
139}