public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, string message
)
{
builder = YarnSecurityTestTokenProtos.NMTokenIdentifierNewProto.NewBuilder();
builder.SetAppAttemptId(tokenIdentifier.GetProto().GetAppAttemptId());
builder.SetNodeId(tokenIdentifier.GetProto().GetNodeId());
builder.SetAppSubmitter(tokenIdentifier.GetApplicationSubmitter());
builder.SetKeyId(tokenIdentifier.GetKeyId());
builder.SetMessage(message);
proto = ((YarnSecurityTestTokenProtos.NMTokenIdentifierNewProto)builder.Build());
builder = null;
}
/// <summary>
/// This method will be used to verify NMTokens generated by different master
/// keys.
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public override byte[] RetrievePassword(NMTokenIdentifier identifier)
{
lock (this)
{
int keyId = identifier.GetKeyId();
ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();
/*
* MasterKey used for retrieving password will be as follows. 1) By default
* older saved master key will be used. 2) If identifier's master key id
* matches that of previous master key id then previous key will be used. 3)
* If identifier's master key id matches that of current master key id then
* current key will be used.
*/
MasterKeyData oldMasterKey = oldMasterKeys[appAttemptId];
MasterKeyData masterKeyToUse = oldMasterKey;
if (previousMasterKey != null && keyId == previousMasterKey.GetMasterKey().GetKeyId
())
{
masterKeyToUse = previousMasterKey;
}
else
{
if (keyId == currentMasterKey.GetMasterKey().GetKeyId())
{
masterKeyToUse = currentMasterKey;
}
}
if (nodeId != null && !identifier.GetNodeId().Equals(nodeId))
{
throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
.ToString() + " is not valid for current node manager." + "expected : " + nodeId
.ToString() + " found : " + identifier.GetNodeId().ToString());
}
if (masterKeyToUse != null)
{
byte[] password = RetrivePasswordInternal(identifier, masterKeyToUse);
Log.Debug("NMToken password retrieved successfully!!");
return(password);
}
throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
.ToString() + " seems to have been generated illegally.");
}
}
/// <summary>This will be called by startContainer.</summary>
/// <remarks>
/// This will be called by startContainer. It will add the master key into
/// the cache used for starting this container. This should be called before
/// validating the startContainer request.
/// </remarks>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public virtual void AppAttemptStartContainer(NMTokenIdentifier identifier)
{
lock (this)
{
ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();
if (!appToAppAttemptMap.Contains(appAttemptId.GetApplicationId()))
{
// First application attempt for the given application
appToAppAttemptMap[appAttemptId.GetApplicationId()] = new AList <ApplicationAttemptId
>();
}
MasterKeyData oldKey = oldMasterKeys[appAttemptId];
if (oldKey == null)
{
// This is a new application attempt.
appToAppAttemptMap[appAttemptId.GetApplicationId()].AddItem(appAttemptId);
}
if (oldKey == null || oldKey.GetMasterKey().GetKeyId() != identifier.GetKeyId())
{
// Update key only if it is modified.
Log.Debug("NMToken key updated for application attempt : " + identifier.GetApplicationAttemptId
().ToString());
if (identifier.GetKeyId() == currentMasterKey.GetMasterKey().GetKeyId())
{
UpdateAppAttemptKey(appAttemptId, currentMasterKey);
}
else
{
if (previousMasterKey != null && identifier.GetKeyId() == previousMasterKey.GetMasterKey
().GetKeyId())
{
UpdateAppAttemptKey(appAttemptId, previousMasterKey);
}
else
{
throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container."
);
}
}
}
}
}
