/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerTokenWithEpoch(Configuration conf)
{
Log.Info("Running test for serializing/deserializing containerIds");
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
// Creating a normal Container Token
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
);
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID());
NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID
().ToString());
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false);
IList <ContainerId> containerIds = new List <ContainerId>();
containerIds.AddItem(cId);
ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken
, nodeId, user);
GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest
.NewInstance(containerIds));
NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]);
NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId
());
NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId
().ToString());
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
StartContainersResponse response = TestRPC.recordFactory.NewRecordInstance <StartContainersResponse
>();
foreach (StartContainerRequest request in requests.GetStartContainerRequests())
{
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = TestRPC.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerStatus status = TestRPC.recordFactory.NewRecordInstance <ContainerStatus>
();
status.SetState(ContainerState.Running);
status.SetContainerId(tokenId.GetContainerID());
status.SetExitStatus(0);
this.statuses.AddItem(status);
}
return(response);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public StartContainersResponse StartContainers(StartContainersRequest requests)
{
StartContainerRequest request = requests.GetStartContainerRequests()[0];
Log.Info("Container started by MyContainerManager: " + request);
launched = true;
IDictionary <string, string> env = request.GetContainerLaunchContext().GetEnvironment
();
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerId containerId = tokenId.GetContainerID();
containerIdAtContainerManager = containerId.ToString();
attemptIdAtContainerManager = containerId.GetApplicationAttemptId().ToString();
nmHostAtContainerManager = tokenId.GetNmHostAddress();
submitTimeAtContainerManager = long.Parse(env[ApplicationConstants.AppSubmitTimeEnv
]);
maxAppAttempts = System.Convert.ToInt32(env[ApplicationConstants.MaxAppAttemptsEnv
]);
return(StartContainersResponse.NewInstance(new Dictionary <string, ByteBuffer>(),
new AList <ContainerId>(), new Dictionary <ContainerId, SerializedException>()));
}
/// <exception cref="System.IO.IOException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
StartContainerRequest request = requests.GetStartContainerRequests()[0];
ContainerTokenIdentifier containerTokenIdentifier = MRApp.NewContainerTokenIdentifier
(request.GetContainerToken());
// Validate that the container is what RM is giving.
NUnit.Framework.Assert.AreEqual(MRApp.NmHost + ":" + MRApp.NmPort, containerTokenIdentifier
.GetNmHostAddress());
StartContainersResponse response = TestContainerLauncher.recordFactory.NewRecordInstance
<StartContainersResponse>();
this.status = TestContainerLauncher.recordFactory.NewRecordInstance<ContainerStatus
>();
try
{
// make the thread sleep to look like its not going to respond
Sharpen.Thread.Sleep(15000);
}
catch (Exception e)
{
TestContainerLauncher.Log.Error(e);
throw new UndeclaredThrowableException(e);
}
this.status.SetState(ContainerState.Running);
this.status.SetContainerId(containerTokenIdentifier.GetContainerID());
this.status.SetExitStatus(0);
return response;
}
internal WrappedApplication(TestApplication _enclosing, int id, long timestamp, string
user, int numContainers)
{
this._enclosing = _enclosing;
Configuration conf = new Configuration();
this.dispatcher = new DrainDispatcher();
this.containerTokenIdentifierMap = new Dictionary <ContainerId, ContainerTokenIdentifier
>();
this.dispatcher.Init(conf);
this.localizerBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.launcherBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.monitorBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.auxBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.containerBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.logAggregationBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.dispatcher.Register(typeof(LocalizationEventType), this.localizerBus);
this.dispatcher.Register(typeof(ContainersLauncherEventType), this.launcherBus);
this.dispatcher.Register(typeof(ContainersMonitorEventType), this.monitorBus);
this.dispatcher.Register(typeof(AuxServicesEventType), this.auxBus);
this.dispatcher.Register(typeof(ContainerEventType), this.containerBus);
this.dispatcher.Register(typeof(LogHandlerEventType), this.logAggregationBus);
this.nmTokenSecretMgr = Org.Mockito.Mockito.Mock <NMTokenSecretManagerInNM>();
this.context = Org.Mockito.Mockito.Mock <Context>();
Org.Mockito.Mockito.When(this.context.GetContainerTokenSecretManager()).ThenReturn
(new NMContainerTokenSecretManager(conf));
Org.Mockito.Mockito.When(this.context.GetApplicationACLsManager()).ThenReturn(new
ApplicationACLsManager(conf));
Org.Mockito.Mockito.When(this.context.GetNMTokenSecretManager()).ThenReturn(this.
nmTokenSecretMgr);
// Setting master key
MasterKey masterKey = new MasterKeyPBImpl();
masterKey.SetKeyId(123);
masterKey.SetBytes(ByteBuffer.Wrap(new byte[] { (123) }));
this.context.GetContainerTokenSecretManager().SetMasterKey(masterKey);
this.user = user;
this.appId = BuilderUtils.NewApplicationId(timestamp, id);
this.app = new ApplicationImpl(this.dispatcher, this.user, this.appId, null, this
.context);
this.containers = new AList <Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container
>();
for (int i = 0; i < numContainers; i++)
{
Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container
= this._enclosing.CreateMockedContainer(this.appId, i);
this.containers.AddItem(container);
long currentTime = Runtime.CurrentTimeMillis();
ContainerTokenIdentifier identifier = new ContainerTokenIdentifier(container.GetContainerId
(), string.Empty, string.Empty, null, currentTime + 2000, masterKey.GetKeyId(),
currentTime, Priority.NewInstance(0), 0);
this.containerTokenIdentifierMap[identifier.GetContainerID()] = identifier;
this.context.GetContainerTokenSecretManager().StartContainerSuccessful(identifier
);
NUnit.Framework.Assert.IsFalse(this.context.GetContainerTokenSecretManager().IsValidStartContainerRequest
(identifier));
}
this.dispatcher.Start();
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
lock (this)
{
foreach (StartContainerRequest request in requests.GetStartContainerRequests())
{
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerId containerID = tokenId.GetContainerID();
ApplicationId applicationId = containerID.GetApplicationAttemptId().GetApplicationId
();
IList <Container> applicationContainers = containers[applicationId];
if (applicationContainers == null)
{
applicationContainers = new AList <Container>();
containers[applicationId] = applicationContainers;
}
// Sanity check
foreach (Container container in applicationContainers)
{
if (container.GetId().CompareTo(containerID) == 0)
{
throw new InvalidOperationException("Container " + containerID + " already setup on node "
+ containerManagerAddress);
}
}
Container container_1 = BuilderUtils.NewContainer(containerID, this.nodeId, nodeHttpAddress
, tokenId.GetResource(), null, null);
// DKDC - Doesn't matter
ContainerStatus containerStatus = BuilderUtils.NewContainerStatus(container_1.GetId
(), ContainerState.New, string.Empty, -1000);
applicationContainers.AddItem(container_1);
containerStatusMap[container_1] = containerStatus;
Resources.SubtractFrom(available, tokenId.GetResource());
Resources.AddTo(used, tokenId.GetResource());
if (Log.IsDebugEnabled())
{
Log.Debug("startContainer:" + " node=" + containerManagerAddress + " application="
+ applicationId + " container=" + container_1 + " available=" + available + " used="
+ used);
}
}
StartContainersResponse response = StartContainersResponse.NewInstance(null, null
, null);
return(response);
}
}
/// <summary>
/// Override of this is to validate ContainerTokens generated by using
/// different
/// <see cref="Org.Apache.Hadoop.Yarn.Server.Api.Records.MasterKey"/>
/// s.
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public override byte[] RetrievePassword(ContainerTokenIdentifier identifier)
{
lock (this)
{
int keyId = identifier.GetMasterKeyId();
MasterKeyData masterKeyToUse = null;
if (this.previousMasterKey != null && keyId == this.previousMasterKey.GetMasterKey
().GetKeyId())
{
// A container-launch has come in with a token generated off the last
// master-key
masterKeyToUse = this.previousMasterKey;
}
else
{
if (keyId == base.currentMasterKey.GetMasterKey().GetKeyId())
{
// A container-launch has come in with a token generated off the current
// master-key
masterKeyToUse = base.currentMasterKey;
}
}
if (nodeHostAddr != null && !identifier.GetNmHostAddress().Equals(nodeHostAddr))
{
// Valid container token used for incorrect node.
throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID
().ToString() + " identifier is not valid for current Node manager. Expected : "
+ nodeHostAddr + " Found : " + identifier.GetNmHostAddress());
}
if (masterKeyToUse != null)
{
return(RetrievePasswordInternal(identifier, masterKeyToUse));
}
// Invalid request. Like startContainer() with token generated off
// old-master-keys.
throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID
().ToString() + " seems to have an illegally generated token.");
}
}
/// <summary>
/// Container will be remembered based on expiration time of the container
/// token used for starting the container.
/// </summary>
/// <remarks>
/// Container will be remembered based on expiration time of the container
/// token used for starting the container. It is safe to use expiration time
/// as there is one to many mapping between expiration time and containerId.
/// </remarks>
/// <returns>true if the current token identifier is not present in cache.</returns>
public virtual bool IsValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier
)
{
lock (this)
{
RemoveAnyContainerTokenIfExpired();
long expTime = containerTokenIdentifier.GetExpiryTimeStamp();
IList <ContainerId> containers = this.recentlyStartedContainerTracker[expTime];
if (containers == null || !containers.Contains(containerTokenIdentifier.GetContainerID
()))
{
return(true);
}
else
{
return(false);
}
}
}
public ContainerTokenIdentifierForTest(ContainerTokenIdentifier identifier, string
message)
{
YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.Builder builder =
YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.NewBuilder();
ContainerIdPBImpl containerID = (ContainerIdPBImpl)identifier.GetContainerID();
if (containerID != null)
{
builder.SetContainerId(containerID.GetProto());
}
builder.SetNmHostAddr(identifier.GetNmHostAddress());
builder.SetAppSubmitter(identifier.GetApplicationSubmitter());
ResourcePBImpl resource = (ResourcePBImpl)identifier.GetResource();
if (resource != null)
{
builder.SetResource(resource.GetProto());
}
builder.SetExpiryTimeStamp(identifier.GetExpiryTimeStamp());
builder.SetMasterKeyId(identifier.GetMasterKeyId());
builder.SetRmIdentifier(identifier.GetRMIdentifier());
PriorityPBImpl priority = (PriorityPBImpl)identifier.GetPriority();
if (priority != null)
{
builder.SetPriority(priority.GetProto());
}
builder.SetCreationTime(identifier.GetCreationTime());
builder.SetMessage(message);
LogAggregationContextPBImpl logAggregationContext = (LogAggregationContextPBImpl)
identifier.GetLogAggregationContext();
if (logAggregationContext != null)
{
builder.SetLogAggregationContext(logAggregationContext.GetProto());
}
proto = ((YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto)builder
.Build());
}
/// <summary>Container start has gone through.</summary>
/// <remarks>
/// Container start has gone through. We need to store the containerId in order
/// to block future container start requests with same container token. This
/// container token needs to be saved till its container token expires.
/// </remarks>
public virtual void StartContainerSuccessful(ContainerTokenIdentifier tokenId)
{
lock (this)
{
RemoveAnyContainerTokenIfExpired();
ContainerId containerId = tokenId.GetContainerID();
long expTime = tokenId.GetExpiryTimeStamp();
// We might have multiple containers with same expiration time.
if (!recentlyStartedContainerTracker.Contains(expTime))
{
recentlyStartedContainerTracker[expTime] = new AList <ContainerId>();
}
recentlyStartedContainerTracker[expTime].AddItem(containerId);
try
{
stateStore.StoreContainerToken(containerId, expTime);
}
catch (IOException e)
{
Log.Error("Unable to store token for container " + containerId, e);
}
}
}