深入理解Spark 2.1 Core (十四):securityManager 类源码分析
securityManager主要用于权限设置,比如在使用yarn作为资源调度框架时,用于生成secret key进行登录。该类默认只用一个实例,所以的app使用同一个实例,下面是该类的所有源代码:
- private[spark] class SecurityManager(sparkConf: SparkConf)
- extends Logging with SecretKeyHolder {
- // key used to store the spark secret in the Hadoop UGI
- private val sparkSecretLookupKey = "sparkCookie"
- private val authOn = sparkConf.getBoolean("spark.authenticate", false)
- // keep spark.ui.acls.enable for backwards compatibility with 1.0
- private var aclsOn =
- sparkConf.getBoolean("spark.acls.enable", sparkConf.getBoolean("spark.ui.acls.enable", false))
- // admin acls should be set before view or modify acls
- private var adminAcls: Set[String] =
- stringToSet(sparkConf.get("spark.admin.acls", ""))
- private var viewAcls: Set[String] = _
- // list of users who have permission to modify the application. This should
- // apply to both UI and CLI for things like killing the application.
- private var modifyAcls: Set[String] = _
- // always add the current user and SPARK_USER to the viewAcls
- private val defaultAclUsers = Set[String](System.getProperty("user.name", ""),
- Utils.getCurrentUserName())
- setViewAcls(defaultAclUsers, sparkConf.get("spark.ui.view.acls", ""))
- setModifyAcls(defaultAclUsers, sparkConf.get("spark.modify.acls", ""))
- private val secretKey = generateSecretKey()
- logInfo("SecurityManager: authentication " + (if (authOn) "enabled" else "disabled") +
- "; ui acls " + (if (aclsOn) "enabled" else "disabled") +
- "; users with view permissions: " + viewAcls.toString() +
- "; users with modify permissions: " + modifyAcls.toString())
- // Set our own authenticator to properly negotiate user/password for HTTP connections.
- // This is needed by the HTTP client fetching from the HttpServer. Put here so its
- // only set once.
- if (authOn) {
- Authenticator.setDefault(
- new Authenticator() {
- override def getPasswordAuthentication(): PasswordAuthentication = {
- var passAuth: PasswordAuthentication = null
- val userInfo = getRequestingURL().getUserInfo()
- if (userInfo != null) {
- val parts = userInfo.split(":", 2)
- passAuth = new PasswordAuthentication(parts(0), parts(1).toCharArray())
- }
- return passAuth
- }
- }
- )
- }
- // the default SSL configuration - it will be used by all communication layers unless overwritten
- private val defaultSSLOptions = SSLOptions.parse(sparkConf, "spark.ssl", defaults = None)
- // SSL configuration for different communication layers - they can override the default
- // configuration at a specified namespace. The namespace *must* start with spark.ssl.
- val fileServerSSLOptions = SSLOptions.parse(sparkConf, "spark.ssl.fs", Some(defaultSSLOptions))
- val akkaSSLOptions = SSLOptions.parse(sparkConf, "spark.ssl.akka", Some(defaultSSLOptions))
- logDebug(s"SSLConfiguration for file server: $fileServerSSLOptions")
- logDebug(s"SSLConfiguration for Akka: $akkaSSLOptions")
- val (sslSocketFactory, hostnameVerifier) = if (fileServerSSLOptions.enabled) {
- val trustStoreManagers =
- for (trustStore <- fileServerSSLOptions.trustStore) yield {
- val input = Files.asByteSource(fileServerSSLOptions.trustStore.get).openStream()
- try {
- val ks = KeyStore.getInstance(KeyStore.getDefaultType)
- ks.load(input, fileServerSSLOptions.trustStorePassword.get.toCharArray)
- val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
- tmf.init(ks)
- tmf.getTrustManagers
- } finally {
- input.close()
- }
- }
- lazy val credulousTrustStoreManagers = Array({
- logWarning("Using 'accept-all' trust manager for SSL connections.")
- new X509TrustManager {
- override def getAcceptedIssuers: Array[X509Certificate] = null
- override def checkClientTrusted(x509Certificates: Array[X509Certificate], s: String) {}
- override def checkServerTrusted(x509Certificates: Array[X509Certificate], s: String) {}
- }: TrustManager
- })
- val sslContext = SSLContext.getInstance(fileServerSSLOptions.protocol.getOrElse("Default"))
- sslContext.init(null, trustStoreManagers.getOrElse(credulousTrustStoreManagers), null)
- val hostVerifier = new HostnameVerifier {
- override def verify(s: String, sslSession: SSLSession): Boolean = true
- }
- (Some(sslContext.getSocketFactory), Some(hostVerifier))
- } else {
- (None, None)
- }
- /**
- * Split a comma separated String, filter out any empty items, and return a Set of strings
- */
- private def stringToSet(list: String): Set[String] = {
- list.split(',').map(_.trim).filter(!_.isEmpty).toSet
- }
- /**
- * Admin acls should be set before the view or modify acls. If you modify the admin
- * acls you should also set the view and modify acls again to pick up the changes.
- */
- def setViewAcls(defaultUsers: Set[String], allowedUsers: String) {
- viewAcls = (adminAcls ++ defaultUsers ++ stringToSet(allowedUsers))
- logInfo("Changing view acls to: " + viewAcls.mkString(","))
- }
- def setViewAcls(defaultUser: String, allowedUsers: String) {
- setViewAcls(Set[String](defaultUser), allowedUsers)
- }
- def getViewAcls: String = viewAcls.mkString(",")
- /**
- * Admin acls should be set before the view or modify acls. If you modify the admin
- * acls you should also set the view and modify acls again to pick up the changes.
- */
- def setModifyAcls(defaultUsers: Set[String], allowedUsers: String) {
- modifyAcls = (adminAcls ++ defaultUsers ++ stringToSet(allowedUsers))
- logInfo("Changing modify acls to: " + modifyAcls.mkString(","))
- }
- def getModifyAcls: String = modifyAcls.mkString(",")
- /**
- * Admin acls should be set before the view or modify acls. If you modify the admin
- * acls you should also set the view and modify acls again to pick up the changes.
- */
- def setAdminAcls(adminUsers: String) {
- adminAcls = stringToSet(adminUsers)
- logInfo("Changing admin acls to: " + adminAcls.mkString(","))
- }
- def setAcls(aclSetting: Boolean) {
- aclsOn = aclSetting
- logInfo("Changing acls enabled to: " + aclsOn)
- }
- /**
- * Generates or looks up the secret key.
- *
- * The way the key is stored depends on the Spark deployment mode. Yarn
- * uses the Hadoop UGI.
- *
- * For non-Yarn deployments, If the config variable is not set
- * we throw an exception.
- */
- private def generateSecretKey(): String = {
- if (!isAuthenticationEnabled) return null
- // first check to see if the secret is already set, else generate a new one if on yarn
- val sCookie = if (SparkHadoopUtil.get.isYarnMode) {
- val secretKey = SparkHadoopUtil.get.getSecretKeyFromUserCredentials(sparkSecretLookupKey)
- if (secretKey != null) {
- logDebug("in yarn mode, getting secret from credentials")
- return new Text(secretKey).toString
- } else {
- logDebug("getSecretKey: yarn mode, secret key from credentials is null")
- }
- val cookie = akka.util.Crypt.generateSecureCookie
- // if we generated the secret then we must be the first so lets set it so t
- // gets used by everyone else
- SparkHadoopUtil.get.addSecretKeyToUserCredentials(sparkSecretLookupKey, cookie)
- logInfo("adding secret to credentials in yarn mode")
- cookie
- } else {
- // user must have set spark.authenticate.secret config
- sparkConf.getOption("spark.authenticate.secret") match {
- case Some(value) => value
- case None => throw new Exception("Error: a secret key must be specified via the " +
- "spark.authenticate.secret config")
- }
- }
- sCookie
- }
- /**
- * Check to see if Acls for the UI are enabled
- * @return true if UI authentication is enabled, otherwise false
- */
- def aclsEnabled(): Boolean = aclsOn
- /**
- * Checks the given user against the view acl list to see if they have
- * authorization to view the UI. If the UI acls are disabled
- * via spark.acls.enable, all users have view access. If the user is null
- * it is assumed authentication is off and all users have access.
- *
- * @param user to see if is authorized
- * @return true is the user has permission, otherwise false
- */
- def checkUIViewPermissions(user: String): Boolean = {
- logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " viewAcls=" +
- viewAcls.mkString(","))
- !aclsEnabled || user == null || viewAcls.contains(user)
- }
- /**
- * Checks the given user against the modify acl list to see if they have
- * authorization to modify the application. If the UI acls are disabled
- * via spark.acls.enable, all users have modify access. If the user is null
- * it is assumed authentication isn't turned on and all users have access.
- *
- * @param user to see if is authorized
- * @return true is the user has permission, otherwise false
- */
- def checkModifyPermissions(user: String): Boolean = {
- logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " modifyAcls=" +
- modifyAcls.mkString(","))
- !aclsEnabled || user == null || modifyAcls.contains(user)
- }
- /**
- * Check to see if authentication for the Spark communication protocols is enabled
- * @return true if authentication is enabled, otherwise false
- */
- def isAuthenticationEnabled(): Boolean = authOn
- /**
- * Gets the user used for authenticating HTTP connections.
- * For now use a single hardcoded user.
- * @return the HTTP user as a String
- */
- def getHttpUser(): String = "sparkHttpUser"
- /**
- * Gets the user used for authenticating SASL connections.
- * For now use a single hardcoded user.
- * @return the SASL user as a String
- */
- def getSaslUser(): String = "sparkSaslUser"
- /**
- * Gets the secret key.
- * @return the secret key as a String if authentication is enabled, otherwise returns null
- */
- def getSecretKey(): String = secretKey
- // Default SecurityManager only has a single secret key, so ignore appId.
- override def getSaslUser(appId: String): String = getSaslUser()
- override def getSecretKey(appId: String): String = getSecretKey()
- }
深入理解Spark 2.1 Core (十四):securityManager 类源码分析相关推荐
- 第十四课 k8s源码学习和二次开发原理篇-调度器原理
第十四课 k8s源码学习和二次开发原理篇-调度器原理 tags: k8s 源码学习 categories: 源码学习 二次开发 文章目录 第十四课 k8s源码学习和二次开发原理篇-调度器原理 第一节 ...
- Alink漫谈(十六) :Word2Vec源码分析 之 建立霍夫曼树
Alink漫谈(十六) :Word2Vec源码分析 之 建立霍夫曼树 文章目录 Alink漫谈(十六) :Word2Vec源码分析 之 建立霍夫曼树 0x00 摘要 0x01 背景概念 1.1 词向量 ...
- Java 集合系列(四)—— ListIterator 源码分析
以脑图的形式来展示Java集合知识,让零碎知识点形成体系 Iterator 对比 Iterator(迭代器)是一种设计模式,是一个对象,用于遍历集合中的所有元素. Iterator 包含四个方 ...
- Spring Security(四) —— 核心过滤器源码分析
摘要: 原创出处 https://www.cnkirito.moe/spring-security-4/ 「老徐」欢迎转载,保留摘要,谢谢! 4 过滤器详解 前面的部分,我们关注了Spring Sec ...
- 基于比原链开发Dapp(四)-bufferserver源码分析
##简介 本章内容主要直接分析bufferserver源码,也就是比原链官方Dapp-demo的后端接口,里面包含了UTXO的托管逻辑.账单逻辑等,还会介绍一些改进的源码内容. [储蓄分红合 ...
- Java源码详解四:String源码分析--openjdk java 11源码
文章目录 注释 类的继承 数据的存储 构造函数 charAt函数 equals函数 hashCode函数 indexOf函数 intern函数 本系列是Java详解,专栏地址:Java源码分析 Str ...
- Spark详解(七):SparkContext源码分析以及整体作业提交流程
1. SparkContext源码分析 在任何Spark程序中,必须要创建一个SparkContext,在SparkContext中,最主要的就是创建了TaskScheduler和DAGSchedul ...
- Spark学习笔记(3)--SparkContext部分源码分析
SparkContext源码分析 在任何Spark程序中,必须要创建一个SparkContext,在SparkContext中,最主要的就是创建了TaskScheduler和DAGScheduler, ...
- 【四】Spring源码分析之启动主流程---AbstractApplicationContext的refresh方法
入口: 在SpringBoot启动的时候,SpringApplication的run方法中 refreshContext(context); 里面最终调用的是AbstractApplicationCo ...
最新文章
- 设备物理像素、设备独立像素
- sql server标识一个字符在这一列中是第几次出现
- Google Gears 体验(2):本机 web 服务器
- c# 智能升级程序代码(2)
- HTTP代理实现请求报文的拦截与篡改2--功能介绍+源码下载
- VC下ctreectrl的使用方法及节点前图标添加方法
- Mybatis 二级缓存简单示例
- python ftp编程_【编程】Python FTP
- IDEA设置代码背景豆沙色
- 经验正交函数分析(EOF)或主成分分析(PCA)在matlab上的实现及实例
- 打印纸张尺寸换算_「凭证纸尺寸」【用友凭证打印】自定义纸张尺寸对照表 - seo实验室...
- MicroDicom viewer(Dicom格式看图软件) v3.4.7官方版
- Excel 批量合并相同内容单元格方法
- 信用卡分销系统如何获客
- 英文电子专业词汇(新手必备)
- Squid缓存代理服务器
- Rollup项目的SNARK景观
- 邮箱android版,网易邮箱Android版手机通讯录将同步
- Java约定俗成怎么定义_Java接口定义规范,摘自晓风轻专栏
- 2022年湖南省社会工作者考试综合实务(初级)练习题及答案
热门文章
- redis key存在则删除_Redis加锁的几种实现
- Windows使用msi安装MySQL安装教程
- java pdfbox 解析报错_pdfbox 读取文件报错 java.io.IOException: Page tree root must be a dictionary...
- 华为交换机的配置及:access、trunk、hybird端口详解
- 初识OSPF(三)——路由重分发及虚链路
- 网页中弹出模式对话框
- mysql文本自动递增_mysql-如何创建自动递增的字符串?
- HTML鼠标悬停图片置顶,jquery实现鼠标悬浮停止轮播特效
- mysql实际项目中使用多长时间_存储过程在实际项目中用的多吗?
- lepus mysql 慢查询_天兔 -Lepus 慢查询分析平台配置