org.apache.hadoop.yarn.security

Class YarnAuthorizationProvider

java.lang.Object

org.apache.hadoop.yarn.security.YarnAuthorizationProvider

Direct Known Subclasses:

ConfiguredYarnAuthorizer

@InterfaceAudience.Private
@InterfaceStability.Unstable
public abstract class YarnAuthorizationProvider
extends Object

An implementation of the interface will provide authorization related information and enforce permission check. It is excepted that any of the methods defined in this interface should be non-blocking call and should not involve expensive computation as these method could be invoked in RPC.

Constructor Summary

Constructors

Constructor and Description
YarnAuthorizationProvider()

Method Summary

Methods

Modifier and Type	Method and Description
abstract boolean	checkPermission(AccessType accessType, PrivilegedEntity target, org.apache.hadoop.security.UserGroupInformation user) Check if user has the permission to access the target object.
static YarnAuthorizationProvider	getInstance(org.apache.hadoop.conf.Configuration conf)
abstract void	init(org.apache.hadoop.conf.Configuration conf) Initialize the provider.
abstract boolean	isAdmin(org.apache.hadoop.security.UserGroupInformation ugi) Check if the user is an admin.
abstract void	setAdmins(org.apache.hadoop.security.authorize.AccessControlList acls, org.apache.hadoop.security.UserGroupInformation ugi) Set a list of users/groups who have admin access
abstract void	setPermission(PrivilegedEntity target, Map<AccessType,org.apache.hadoop.security.authorize.AccessControlList> acls, org.apache.hadoop.security.UserGroupInformation ugi) Set ACLs for the target object.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

YarnAuthorizationProvider

public YarnAuthorizationProvider()

Method Detail

getInstance

public static YarnAuthorizationProvider getInstance(org.apache.hadoop.conf.Configuration conf)

init

public abstract void init(org.apache.hadoop.conf.Configuration conf)

Initialize the provider. Invoked on daemon startup. DefaultYarnAuthorizer is initialized based on configurations.

checkPermission

public abstract boolean checkPermission(AccessType accessType,
                      PrivilegedEntity target,
                      org.apache.hadoop.security.UserGroupInformation user)

Check if user has the permission to access the target object.

Parameters:

accessType - The type of accessing method.

target - The target object being accessed, e.g. app/queue

user - User who access the target

Returns:

true if user can access the object, otherwise false.

setPermission

public abstract void setPermission(PrivilegedEntity target,
                 Map<AccessType,org.apache.hadoop.security.authorize.AccessControlList> acls,
                 org.apache.hadoop.security.UserGroupInformation ugi)

Set ACLs for the target object. AccessControlList class encapsulate the users and groups who can access the target.

Parameters:

target - The target object.

acls - A map from access method to a list of users and/or groups who has permission to do the access.

ugi - User who sets the permissions.

setAdmins

public abstract void setAdmins(org.apache.hadoop.security.authorize.AccessControlList acls,
             org.apache.hadoop.security.UserGroupInformation ugi)

Set a list of users/groups who have admin access

Parameters:

acls - users/groups who have admin access

ugi - User who sets the admin acls.

isAdmin

public abstract boolean isAdmin(org.apache.hadoop.security.UserGroupInformation ugi)

Check if the user is an admin.

Parameters:

ugi - the user to be determined if it is an admin

Returns:

true if the given user is an admin