001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.reef.runtime.yarn.client.unmanaged; 020 021import org.apache.hadoop.security.UserGroupInformation; 022import org.apache.hadoop.security.token.Token; 023import org.apache.hadoop.security.token.TokenIdentifier; 024import org.apache.reef.annotations.audience.ClientSide; 025import org.apache.reef.annotations.audience.DriverSide; 026import org.apache.reef.annotations.audience.Private; 027import org.apache.reef.runtime.common.UserCredentials; 028 029import javax.inject.Inject; 030import java.io.IOException; 031import java.security.PrivilegedExceptionAction; 032import java.util.Collection; 033import java.util.logging.Level; 034import java.util.logging.Logger; 035 036/** 037 * A holder class for the proxy UserGroupInformation object 038 * required for Unmanaged YARN Application Master in REEF-on-REEF or REEF-on-Spark mode. 039 */ 040@Private 041@ClientSide 042@DriverSide 043public final class YarnProxyUser implements UserCredentials { 044 045 private static final Logger LOG = Logger.getLogger(YarnProxyUser.class.getName()); 046 047 private UserGroupInformation proxyUGI = null; 048 049 @Inject 050 private YarnProxyUser() { } 051 052 /** 053 * Get the YARN proxy user information. If not set, return the (global) current user. 054 * @return Proxy user group information, if set; otherwise, return current YARN user. 055 * @throws IOException if proxy user is not set AND unable to obtain current YARN user information. 056 */ 057 public UserGroupInformation get() throws IOException { 058 059 final UserGroupInformation effectiveUGI = 060 this.proxyUGI == null ? UserGroupInformation.getCurrentUser() : this.proxyUGI; 061 062 if (LOG.isLoggable(Level.FINEST)) { 063 LOG.log(Level.FINEST, "UGI: get: {0}", ugiToString("EFFECTIVE", effectiveUGI)); 064 } 065 066 return effectiveUGI; 067 } 068 069 /** 070 * Check if the proxy user is set. 071 * @return true if proxy user set, false otherwise. 072 */ 073 @Override 074 public boolean isSet() { 075 return this.proxyUGI != null; 076 } 077 078 /** 079 * Set YARN user. This method can be called only once per class instance. 080 * @param name Name of the new proxy user. 081 * @param hostUser User credentials to copy. Must be an instance of YarnProxyUser. 082 */ 083 @Override 084 public void set(final String name, final UserCredentials hostUser) throws IOException { 085 086 assert this.proxyUGI == null; 087 assert hostUser instanceof YarnProxyUser; 088 089 LOG.log(Level.FINE, "UGI: user {0} copy from: {1}", new Object[] {name, hostUser}); 090 091 final UserGroupInformation hostUGI = ((YarnProxyUser) hostUser).get(); 092 final Collection<Token<? extends TokenIdentifier>> tokens = hostUGI.getCredentials().getAllTokens(); 093 094 this.set(name, hostUGI, tokens.toArray(new Token[tokens.size()])); 095 } 096 097 /** 098 * Create YARN proxy user and add security tokens to its credentials. 099 * This method can be called only once per class instance. 100 * @param proxyName Name of the new proxy user. 101 * @param hostUGI YARN user to impersonate the proxy. 102 * @param tokens Security tokens to add to the new proxy user's credentials. 103 */ 104 @SafeVarargs 105 public final void set(final String proxyName, 106 final UserGroupInformation hostUGI, final Token<? extends TokenIdentifier>... tokens) { 107 108 assert this.proxyUGI == null; 109 this.proxyUGI = UserGroupInformation.createProxyUser(proxyName, hostUGI); 110 111 for (final Token<? extends TokenIdentifier> token : tokens) { 112 this.proxyUGI.addToken(token); 113 } 114 115 LOG.log(Level.FINE, "UGI: user {0} set to: {1}", new Object[] {proxyName, this}); 116 } 117 118 /** 119 * Execute the privileged action as a given user. 120 * If user credentials are not set, execute the action outside the user context. 121 * @param action an action to run. 122 * @param <T> action return type. 123 * @return result of an action. 124 * @throws Exception whatever the action can throw. 125 */ 126 public <T> T doAs(final PrivilegedExceptionAction<T> action) throws Exception { 127 LOG.log(Level.FINE, "{0} execute {1}", new Object[] {this, action}); 128 return this.proxyUGI == null ? action.run() : this.proxyUGI.doAs(action); 129 } 130 131 @Override 132 public String toString() { 133 return this.proxyUGI == null ? "UGI: { CURRENT user: null }" : ugiToString("PROXY", this.proxyUGI); 134 } 135 136 private static String ugiToString(final String prefix, final UserGroupInformation ugi) { 137 return String.format("UGI: { %s user: %s tokens: %s }", prefix, ugi, ugi.getCredentials().getAllTokens()); 138 } 139}