org.apache.hadoop.hive.ql.exec.tez.YarnQueueHelper Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hive.ql.exec.tez;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import com.facebook.presto.hive.$internal.org.apache.commons.io.IOUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.http.HttpStatus;
import com.facebook.presto.hive.$internal.org.json.JSONException;
import com.facebook.presto.hive.$internal.org.json.JSONObject;
import com.facebook.presto.hive.$internal.org.slf4j.Logger;
import com.facebook.presto.hive.$internal.org.slf4j.LoggerFactory;
import com.facebook.presto.hive.$internal.com.google.common.base.Preconditions;
public class YarnQueueHelper {
private final static Logger LOG = LoggerFactory.getLogger(YarnQueueHelper.class);
private static final String PERMISSION_PATH = "/ws/v1/cluster/queues/%s/access?user=%s";
private final String[] rmNodes;
private int lastKnownGoodUrl;
public YarnQueueHelper(HiveConf conf) {
rmNodes = conf.getTrimmedStrings("yarn.resourcemanager.webapp.address");
Preconditions.checkArgument((rmNodes != null && rmNodes.length > 0),
"yarn.resourcemanager.webapp.address must be set to enable queue access checks");
lastKnownGoodUrl = 0;
}
public void checkQueueAccess(
String queueName, String userName) throws IOException, HiveException {
String urlSuffix = String.format(PERMISSION_PATH, queueName, userName);
// TODO: if we ever use this endpoint for anything else, refactor cycling into a separate class.
int urlIx = lastKnownGoodUrl, lastUrlIx = ((urlIx == 0) ? rmNodes.length : urlIx) - 1;
Exception firstError = null;
while (true) {
String node = rmNodes[urlIx];
String error = null;
boolean isCallOk = false;
try {
error = checkQueueAccessFromSingleRm("http://" + node + urlSuffix);
isCallOk = true;
} catch (Exception ex) {
LOG.warn("Cannot check queue access against RM " + node, ex);
if (firstError == null) {
firstError = ex;
}
}
if (isCallOk) {
lastKnownGoodUrl = urlIx;
if (error == null) return; // null error message here means the user has access.
throw new HiveException(error.isEmpty()
? (userName + " has no access to " + queueName) : error);
}
if (urlIx == lastUrlIx) {
throw new IOException("Cannot access any RM service; first error", firstError);
}
urlIx = (urlIx + 1) % rmNodes.length;
}
}
private String checkQueueAccessFromSingleRm(String urlString) throws IOException {
URL url = new URL(urlString);
HttpURLConnection connection = UserGroupInformation.isSecurityEnabled() ?
getSecureConnection(url) : (HttpURLConnection)url.openConnection();
int statusCode = connection.getResponseCode();
switch (statusCode) {
case HttpStatus.SC_OK: return processResponse(connection);
case HttpStatus.SC_FORBIDDEN: {
// Throw a special exception since it's usually a well-known misconfiguration.
throw new IOException(handleUnexpectedStatusCode(connection, statusCode, "check that the "
+ "HiveServer2 principal is in the administrator list of the root YARN queue"));
}
default: throw new IOException(handleUnexpectedStatusCode(connection, statusCode, null));
}
}
private String processResponse(HttpURLConnection connection) throws IOException {
InputStream stream = connection.getInputStream();
if (stream == null) {
throw new IOException(handleUnexpectedStatusCode(
connection, HttpStatus.SC_OK, "No input on successful API call"));
}
String jsonStr = IOUtils.toString(stream);
try {
JSONObject obj = new JSONObject(jsonStr);
boolean result = obj.getBoolean("allowed");
if (result) return null;
String diag = obj.getString("diagnostics");
return diag == null ? "" : diag;
} catch (JSONException ex) {
LOG.error("Couldn't parse " + jsonStr, ex);
throw ex;
}
}
/** Gets the Hadoop kerberos secure connection (not an SSL connection). */
private HttpURLConnection getSecureConnection(URL url) throws IOException {
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
try {
return new AuthenticatedURL().openConnection(url, token);
} catch (AuthenticationException e) {
throw new IOException(e);
}
}
public String handleUnexpectedStatusCode(
HttpURLConnection connection, int statusCode, String errorStr) throws IOException {
// We do no handle anything but OK for now. Again, we need a real client for this API.
// TODO: handle 401 and return a new connection? nothing for now
InputStream errorStream = connection.getErrorStream();
String error = "Received " + statusCode + (errorStr == null ? "" : (" (" + errorStr + ")"));
if (errorStream != null) {
error += ": " + IOUtils.toString(errorStream);
} else {
errorStream = connection.getInputStream();
if (errorStream != null) {
error += ": " + IOUtils.toString(errorStream);
}
}
return error;
}
}