public RMActiveServiceContext(Dispatcher rmDispatcher, ContainerAllocationExpirer
containerAllocationExpirer, AMLivelinessMonitor amLivelinessMonitor, AMLivelinessMonitor
amFinishingMonitor, DelegationTokenRenewer delegationTokenRenewer, AMRMTokenSecretManager
appTokenSecretManager, RMContainerTokenSecretManager containerTokenSecretManager
, NMTokenSecretManagerInRM nmTokenSecretManager, ClientToAMTokenSecretManagerInRM
clientToAMTokenSecretManager, ResourceScheduler scheduler)
: this()
{
this.SetContainerAllocationExpirer(containerAllocationExpirer);
this.SetAMLivelinessMonitor(amLivelinessMonitor);
this.SetAMFinishingMonitor(amFinishingMonitor);
this.SetDelegationTokenRenewer(delegationTokenRenewer);
this.SetAMRMTokenSecretManager(appTokenSecretManager);
this.SetContainerTokenSecretManager(containerTokenSecretManager);
this.SetNMTokenSecretManager(nmTokenSecretManager);
this.SetClientToAMTokenSecretManager(clientToAMTokenSecretManager);
this.SetScheduler(scheduler);
RMStateStore nullStore = new NullRMStateStore();
nullStore.SetRMDispatcher(rmDispatcher);
try
{
nullStore.Init(new YarnConfiguration());
SetStateStore(nullStore);
}
catch (Exception)
{
System.Diagnostics.Debug.Assert(false);
}
}
public virtual void SetUp()
{
Configuration conf = new Configuration();
// Dispatcher that processes events inline
dispatcher = new InlineDispatcher();
dispatcher.Register(typeof(RMNodeEventType), new TestNMReconnect.TestRMNodeEventDispatcher
(this));
context = new RMContextImpl(dispatcher, null, null, null, null, null, null, null,
null, null);
dispatcher.Register(typeof(SchedulerEventType), new InlineDispatcher.EmptyEventHandler
());
dispatcher.Register(typeof(RMNodeEventType), new ResourceManager.NodeEventDispatcher
(context));
NMLivelinessMonitor nmLivelinessMonitor = new NMLivelinessMonitor(dispatcher);
nmLivelinessMonitor.Init(conf);
nmLivelinessMonitor.Start();
NodesListManager nodesListManager = new NodesListManager(context);
nodesListManager.Init(conf);
RMContainerTokenSecretManager containerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
containerTokenSecretManager.Start();
NMTokenSecretManagerInRM nmTokenSecretManager = new NMTokenSecretManagerInRM(conf
);
nmTokenSecretManager.Start();
resourceTrackerService = new ResourceTrackerService(context, nodesListManager, nmLivelinessMonitor
, containerTokenSecretManager, nmTokenSecretManager);
resourceTrackerService.Init(conf);
resourceTrackerService.Start();
}
/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerTokenWithEpoch(Configuration conf)
{
Log.Info("Running test for serializing/deserializing containerIds");
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
// Creating a normal Container Token
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
);
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID());
NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID
().ToString());
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false);
IList <ContainerId> containerIds = new List <ContainerId>();
containerIds.AddItem(cId);
ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken
, nodeId, user);
GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest
.NewInstance(containerIds));
NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]);
NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId
());
NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId
().ToString());
}
public _RMContextImpl_159(ConcurrentMap <ApplicationId, RMApp> applicationsMaps, Dispatcher
baseArg1, ContainerAllocationExpirer baseArg2, AMLivelinessMonitor baseArg3, AMLivelinessMonitor
baseArg4, DelegationTokenRenewer baseArg5, AMRMTokenSecretManager baseArg6, RMContainerTokenSecretManager
baseArg7, NMTokenSecretManagerInRM baseArg8, ClientToAMTokenSecretManagerInRM baseArg9
, ResourceScheduler baseArg10)
: base(baseArg1, baseArg2, baseArg3, baseArg4, baseArg5, baseArg6, baseArg7, baseArg8
, baseArg9, baseArg10)
{
this.applicationsMaps = applicationsMaps;
}
public _RMContextImpl_121(ConcurrentMap <ApplicationId, RMApp> map, Dispatcher baseArg1
, ContainerAllocationExpirer baseArg2, AMLivelinessMonitor baseArg3, AMLivelinessMonitor
baseArg4, DelegationTokenRenewer baseArg5, AMRMTokenSecretManager baseArg6, RMContainerTokenSecretManager
baseArg7, NMTokenSecretManagerInRM baseArg8, ClientToAMTokenSecretManagerInRM baseArg9
)
: base(baseArg1, baseArg2, baseArg3, baseArg4, baseArg5, baseArg6, baseArg7, baseArg8
, baseArg9)
{
this.map = map;
}
public ResourceTrackerService(RMContext rmContext, NodesListManager nodesListManager
, NMLivelinessMonitor nmLivelinessMonitor, RMContainerTokenSecretManager containerTokenSecretManager
, NMTokenSecretManagerInRM nmTokenSecretManager)
: base(typeof(Org.Apache.Hadoop.Yarn.Server.Resourcemanager.ResourceTrackerService
).FullName)
{
this.rmContext = rmContext;
this.nodesListManager = nodesListManager;
this.nmLivelinessMonitor = nmLivelinessMonitor;
this.containerTokenSecretManager = containerTokenSecretManager;
this.nmTokenSecretManager = nmTokenSecretManager;
}
// don't do anything
protected internal override ResourceTrackerService CreateResourceTrackerService()
{
RMContainerTokenSecretManager containerTokenSecretManager = GetRMContext().GetContainerTokenSecretManager
();
containerTokenSecretManager.RollMasterKey();
NMTokenSecretManagerInRM nmTokenSecretManager = GetRMContext().GetNMTokenSecretManager
();
nmTokenSecretManager.RollMasterKey();
return(new _ResourceTrackerService_565(GetRMContext(), nodesListManager, this.nmLivelinessMonitor
, containerTokenSecretManager, nmTokenSecretManager));
}
public _RMContextImpl_183(ConcurrentMap <ApplicationId, RMApp> applicationsMaps, ConcurrentMap
<string, RMNode> deactivatedNodesMap, ConcurrentMap <NodeId, RMNode> nodesMap, Dispatcher
baseArg1, ContainerAllocationExpirer baseArg2, AMLivelinessMonitor baseArg3, AMLivelinessMonitor
baseArg4, DelegationTokenRenewer baseArg5, AMRMTokenSecretManager baseArg6, RMContainerTokenSecretManager
baseArg7, NMTokenSecretManagerInRM baseArg8, ClientToAMTokenSecretManagerInRM baseArg9
, ResourceScheduler baseArg10)
: base(baseArg1, baseArg2, baseArg3, baseArg4, baseArg5, baseArg6, baseArg7, baseArg8
, baseArg9, baseArg10)
{
this.applicationsMaps = applicationsMaps;
this.deactivatedNodesMap = deactivatedNodesMap;
this.nodesMap = nodesMap;
}
/// <exception cref="System.Exception"/>
protected internal virtual void RollNMTokenMasterKey(NMTokenSecretManagerInRM nmTokenSecretManagerRM
, NMTokenSecretManagerInNM nmTokenSecretManagerNM)
{
int oldKeyId = nmTokenSecretManagerRM.GetCurrentKey().GetKeyId();
nmTokenSecretManagerRM.RollMasterKey();
int interval = 40;
while (nmTokenSecretManagerNM.GetCurrentKey().GetKeyId() == oldKeyId && interval--
> 0)
{
Sharpen.Thread.Sleep(1000);
}
nmTokenSecretManagerRM.ActivateNextMasterKey();
NUnit.Framework.Assert.IsTrue((nmTokenSecretManagerNM.GetCurrentKey().GetKeyId()
== nmTokenSecretManagerRM.GetCurrentKey().GetKeyId()));
}
/// <summary>Construct the service.</summary>
public RMSecretManagerService(Configuration conf, RMContextImpl rmContext)
: base(typeof(Org.Apache.Hadoop.Yarn.Server.Resourcemanager.RMSecretManagerService
).FullName)
{
this.rmContext = rmContext;
// To initialize correctly, these managers should be created before
// being called serviceInit().
nmTokenSecretManager = CreateNMTokenSecretManager(conf);
rmContext.SetNMTokenSecretManager(nmTokenSecretManager);
containerTokenSecretManager = CreateContainerTokenSecretManager(conf);
rmContext.SetContainerTokenSecretManager(containerTokenSecretManager);
clientToAMSecretManager = CreateClientToAMTokenSecretManager();
rmContext.SetClientToAMTokenSecretManager(clientToAMSecretManager);
amRmTokenSecretManager = CreateAMRMTokenSecretManager(conf, this.rmContext);
rmContext.SetAMRMTokenSecretManager(amRmTokenSecretManager);
rmDTSecretManager = CreateRMDelegationTokenSecretManager(conf, rmContext);
rmContext.SetRMDelegationTokenSecretManager(rmDTSecretManager);
}
internal virtual void SetNMTokenSecretManager(NMTokenSecretManagerInRM nmTokenSecretManager
)
{
activeServiceContext.SetNMTokenSecretManager(nmTokenSecretManager);
}
public RMContextImpl(Dispatcher rmDispatcher, ContainerAllocationExpirer containerAllocationExpirer
, AMLivelinessMonitor amLivelinessMonitor, AMLivelinessMonitor amFinishingMonitor
, DelegationTokenRenewer delegationTokenRenewer, AMRMTokenSecretManager appTokenSecretManager
, RMContainerTokenSecretManager containerTokenSecretManager, NMTokenSecretManagerInRM
nmTokenSecretManager, ClientToAMTokenSecretManagerInRM clientToAMTokenSecretManager
, ResourceScheduler scheduler)
: this()
{
// helper constructor for tests
this.SetDispatcher(rmDispatcher);
SetActiveServiceContext(new RMActiveServiceContext(rmDispatcher, containerAllocationExpirer
, amLivelinessMonitor, amFinishingMonitor, delegationTokenRenewer, appTokenSecretManager
, containerTokenSecretManager, nmTokenSecretManager, clientToAMTokenSecretManager
, scheduler));
ConfigurationProvider provider = new LocalConfigurationProvider();
SetConfigurationProvider(provider);
}
internal virtual void SetNMTokenSecretManager(NMTokenSecretManagerInRM nmTokenSecretManager
)
{
this.nmTokenSecretManager = nmTokenSecretManager;
}
/// <exception cref="System.Exception"/>
public virtual void TestNMToken()
{
MockRM rm = new MockRM(conf);
try
{
rm.Start();
MockNM nm1 = rm.RegisterNode("h1:1234", 10000);
NMTokenSecretManagerInRM nmTokenSecretManager = rm.GetRMContext().GetNMTokenSecretManager
();
// submitting new application
RMApp app = rm.SubmitApp(1000);
// start scheduling.
nm1.NodeHeartbeat(true);
// Starting application attempt and launching
// It should get registered with NMTokenSecretManager.
RMAppAttempt attempt = app.GetCurrentAppAttempt();
MockAM am = rm.SendAMLaunched(attempt.GetAppAttemptId());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
// This will register application master.
am.RegisterAppAttempt();
AList <Container> containersReceivedForNM1 = new AList <Container>();
IList <ContainerId> releaseContainerList = new AList <ContainerId>();
Dictionary <string, Token> nmTokens = new Dictionary <string, Token>();
// initially requesting 2 containers.
AllocateResponse response = am.Allocate("h1", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM1, 2, nmTokens,
nm1);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// requesting 2 more containers.
response = am.Allocate("h1", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM1, 4, nmTokens,
nm1);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// We will be simulating NM restart so restarting newly added h2:1234
// NM 2 now registers.
MockNM nm2 = rm.RegisterNode("h2:1234", 10000);
nm2.NodeHeartbeat(true);
AList <Container> containersReceivedForNM2 = new AList <Container>();
response = am.Allocate("h2", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 2, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(2, nmTokens.Count);
// Simulating NM-2 restart.
nm2 = rm.RegisterNode("h2:1234", 10000);
// Wait for reconnect to make it through the RM and create a new RMNode
IDictionary <NodeId, RMNode> nodes = rm.GetRMContext().GetRMNodes();
while (nodes[nm2.GetNodeId()].GetLastNodeHeartBeatResponse().GetResponseId() > 0)
{
Sharpen.Thread.Sleep(WaitSleepMs);
}
int interval = 40;
// Wait for nm Token to be cleared.
while (nmTokenSecretManager.IsApplicationAttemptNMTokenPresent(attempt.GetAppAttemptId
(), nm2.GetNodeId()) && interval-- > 0)
{
Log.Info("waiting for nmToken to be cleared for : " + nm2.GetNodeId());
Sharpen.Thread.Sleep(WaitSleepMs);
}
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
// removing NMToken for h2:1234
Sharpen.Collections.Remove(nmTokens, nm2.GetNodeId().ToString());
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// We should again receive the NMToken.
response = am.Allocate("h2", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 4, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(2, nmTokens.Count);
// Now rolling over NMToken masterKey. it should resend the NMToken in
// next allocate call.
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm1.GetNodeId()));
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
nmTokenSecretManager.RollMasterKey();
nmTokenSecretManager.ActivateNextMasterKey();
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm1.GetNodeId()));
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
// It should not remove application attempt entry.
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
nmTokens.Clear();
NUnit.Framework.Assert.AreEqual(0, nmTokens.Count);
// We should again receive the NMToken.
response = am.Allocate("h2", 1000, 1, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 5, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
// After AM is finished making sure that nmtoken entry for app
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
am.UnregisterAppAttempt();
// marking all the containers as finished.
foreach (Container container in containersReceivedForNM1)
{
nm1.NodeHeartbeat(attempt.GetAppAttemptId(), container.GetId().GetContainerId(),
ContainerState.Complete);
}
foreach (Container container_1 in containersReceivedForNM2)
{
nm2.NodeHeartbeat(attempt.GetAppAttemptId(), container_1.GetId().GetContainerId()
, ContainerState.Complete);
}
nm1.NodeHeartbeat(am.GetApplicationAttemptId(), 1, ContainerState.Complete);
am.WaitForState(RMAppAttemptState.Finished);
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
}
finally
{
rm.Stop();
}
}
public CustomedResourceTrackerService(MiniYARNClusterForHATesting _enclosing, RMContext
rmContext, NodesListManager nodesListManager, NMLivelinessMonitor nmLivelinessMonitor
, RMContainerTokenSecretManager containerTokenSecretManager, NMTokenSecretManagerInRM
nmTokenSecretManager)
: base(rmContext, nodesListManager, nmLivelinessMonitor, containerTokenSecretManager
, nmTokenSecretManager)
{
this._enclosing = _enclosing;
}
/// <exception cref="System.Exception"/>
public virtual void TestNodeLocalAssignment()
{
AsyncDispatcher dispatcher = new InlineDispatcher();
Configuration conf = new Configuration();
RMContainerTokenSecretManager containerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
containerTokenSecretManager.RollMasterKey();
NMTokenSecretManagerInRM nmTokenSecretManager = new NMTokenSecretManagerInRM(conf
);
nmTokenSecretManager.RollMasterKey();
RMApplicationHistoryWriter writer = Org.Mockito.Mockito.Mock <RMApplicationHistoryWriter
>();
FifoScheduler scheduler = new FifoScheduler();
RMContext rmContext = new RMContextImpl(dispatcher, null, null, null, null, null,
containerTokenSecretManager, nmTokenSecretManager, null, scheduler);
rmContext.SetSystemMetricsPublisher(Org.Mockito.Mockito.Mock <SystemMetricsPublisher
>());
rmContext.SetRMApplicationHistoryWriter(Org.Mockito.Mockito.Mock <RMApplicationHistoryWriter
>());
((RMContextImpl)rmContext).SetYarnConfiguration(new YarnConfiguration());
scheduler.SetRMContext(rmContext);
scheduler.Init(conf);
scheduler.Start();
scheduler.Reinitialize(new Configuration(), rmContext);
RMNode node0 = MockNodes.NewNodeInfo(1, Resources.CreateResource(1024 * 64), 1, "127.0.0.1"
);
NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node0);
scheduler.Handle(nodeEvent1);
int _appId = 1;
int _appAttemptId = 1;
ApplicationAttemptId appAttemptId = CreateAppAttemptId(_appId, _appAttemptId);
CreateMockRMApp(appAttemptId, rmContext);
AppAddedSchedulerEvent appEvent = new AppAddedSchedulerEvent(appAttemptId.GetApplicationId
(), "queue1", "user1");
scheduler.Handle(appEvent);
AppAttemptAddedSchedulerEvent attemptEvent = new AppAttemptAddedSchedulerEvent(appAttemptId
, false);
scheduler.Handle(attemptEvent);
int memory = 64;
int nConts = 3;
int priority = 20;
IList <ResourceRequest> ask = new AList <ResourceRequest>();
ResourceRequest nodeLocal = CreateResourceRequest(memory, node0.GetHostName(), priority
, nConts);
ResourceRequest rackLocal = CreateResourceRequest(memory, node0.GetRackName(), priority
, nConts);
ResourceRequest any = CreateResourceRequest(memory, ResourceRequest.Any, priority
, nConts);
ask.AddItem(nodeLocal);
ask.AddItem(rackLocal);
ask.AddItem(any);
scheduler.Allocate(appAttemptId, ask, new AList <ContainerId>(), null, null);
NodeUpdateSchedulerEvent node0Update = new NodeUpdateSchedulerEvent(node0);
// Before the node update event, there are 3 local requests outstanding
NUnit.Framework.Assert.AreEqual(3, nodeLocal.GetNumContainers());
scheduler.Handle(node0Update);
// After the node update event, check that there are no more local requests
// outstanding
NUnit.Framework.Assert.AreEqual(0, nodeLocal.GetNumContainers());
//Also check that the containers were scheduled
SchedulerAppReport info = scheduler.GetSchedulerAppInfo(appAttemptId);
NUnit.Framework.Assert.AreEqual(3, info.GetLiveContainers().Count);
scheduler.Stop();
}
/// <summary>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc..
/// </summary>
/// <remarks>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc.. His/her containers should be
/// rejected.
/// </remarks>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerToken(Configuration conf)
{
Log.Info("Running test for malice user");
/*
* We need to check for containerToken (authorization).
* Here we will be assuming that we have valid NMToken
* 1) ContainerToken used is expired.
* 2) ContainerToken is tampered (resource is modified).
*/
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = GetContainerTokenIdentifierFromToken
(containerToken);
// Verify new compatible version ContainerTokenIdentifier can work successfully.
ContainerTokenIdentifierForTest newVersionTokenIdentifier = new ContainerTokenIdentifierForTest
(containerTokenIdentifier, "message");
byte[] password = containerTokenSecretManager.CreatePassword(newVersionTokenIdentifier
);
Org.Apache.Hadoop.Yarn.Api.Records.Token newContainerToken = BuilderUtils.NewContainerToken
(nodeId, password, newVersionTokenIdentifier);
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, newContainerToken
, nmToken, false).IsEmpty());
// Creating a tampered Container Token
RMContainerTokenSecretManager tamperedContainerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
tamperedContainerTokenSecretManager.RollMasterKey();
do
{
tamperedContainerTokenSecretManager.RollMasterKey();
tamperedContainerTokenSecretManager.ActivateNextMasterKey();
}while (containerTokenSecretManager.GetCurrentKey().GetKeyId() == tamperedContainerTokenSecretManager
.GetCurrentKey().GetKeyId());
ContainerId cId2 = ContainerId.NewContainerId(appAttemptId, 1);
// Creating modified containerToken
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken2 = tamperedContainerTokenSecretManager
.CreateContainerToken(cId2, nodeId, user, r, Priority.NewInstance(0), 0);
StringBuilder sb = new StringBuilder("Given Container ");
sb.Append(cId2);
sb.Append(" seems to have an illegally generated token.");
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, containerToken2
, nmToken, true).Contains(sb.ToString()));
}
/// <exception cref="System.Exception"/>
public virtual void TestUpdateResourceOnNode()
{
AsyncDispatcher dispatcher = new InlineDispatcher();
Configuration conf = new Configuration();
RMContainerTokenSecretManager containerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
containerTokenSecretManager.RollMasterKey();
NMTokenSecretManagerInRM nmTokenSecretManager = new NMTokenSecretManagerInRM(conf
);
nmTokenSecretManager.RollMasterKey();
RMApplicationHistoryWriter writer = Org.Mockito.Mockito.Mock <RMApplicationHistoryWriter
>();
FifoScheduler scheduler = new _FifoScheduler_275(this);
RMContext rmContext = new RMContextImpl(dispatcher, null, null, null, null, null,
containerTokenSecretManager, nmTokenSecretManager, null, scheduler);
rmContext.SetSystemMetricsPublisher(Org.Mockito.Mockito.Mock <SystemMetricsPublisher
>());
rmContext.SetRMApplicationHistoryWriter(Org.Mockito.Mockito.Mock <RMApplicationHistoryWriter
>());
((RMContextImpl)rmContext).SetYarnConfiguration(new YarnConfiguration());
scheduler.SetRMContext(rmContext);
scheduler.Init(conf);
scheduler.Start();
scheduler.Reinitialize(new Configuration(), rmContext);
RMNode node0 = MockNodes.NewNodeInfo(1, Resources.CreateResource(2048, 4), 1, "127.0.0.1"
);
NodeAddedSchedulerEvent nodeEvent1 = new NodeAddedSchedulerEvent(node0);
scheduler.Handle(nodeEvent1);
MethodInfo method = Sharpen.Runtime.GetDeclaredMethod(scheduler.GetType(), "getNodes"
);
IDictionary <NodeId, FiCaSchedulerNode> schedulerNodes = (IDictionary <NodeId, FiCaSchedulerNode
>)method.Invoke(scheduler);
NUnit.Framework.Assert.AreEqual(schedulerNodes.Values.Count, 1);
Org.Apache.Hadoop.Yarn.Api.Records.Resource newResource = Resources.CreateResource
(1024, 4);
NodeResourceUpdateSchedulerEvent node0ResourceUpdate = new NodeResourceUpdateSchedulerEvent
(node0, ResourceOption.NewInstance(newResource, RMNode.OverCommitTimeoutMillisDefault
));
scheduler.Handle(node0ResourceUpdate);
// SchedulerNode's total resource and available resource are changed.
NUnit.Framework.Assert.AreEqual(schedulerNodes[node0.GetNodeID()].GetTotalResource
().GetMemory(), 1024);
NUnit.Framework.Assert.AreEqual(schedulerNodes[node0.GetNodeID()].GetAvailableResource
().GetMemory(), 1024);
QueueInfo queueInfo = scheduler.GetQueueInfo(null, false, false);
NUnit.Framework.Assert.AreEqual(0.0f, queueInfo.GetCurrentCapacity(), 0.0f);
int _appId = 1;
int _appAttemptId = 1;
ApplicationAttemptId appAttemptId = CreateAppAttemptId(_appId, _appAttemptId);
CreateMockRMApp(appAttemptId, rmContext);
AppAddedSchedulerEvent appEvent = new AppAddedSchedulerEvent(appAttemptId.GetApplicationId
(), "queue1", "user1");
scheduler.Handle(appEvent);
AppAttemptAddedSchedulerEvent attemptEvent = new AppAttemptAddedSchedulerEvent(appAttemptId
, false);
scheduler.Handle(attemptEvent);
int memory = 1024;
int priority = 1;
IList <ResourceRequest> ask = new AList <ResourceRequest>();
ResourceRequest nodeLocal = CreateResourceRequest(memory, node0.GetHostName(), priority
, 1);
ResourceRequest rackLocal = CreateResourceRequest(memory, node0.GetRackName(), priority
, 1);
ResourceRequest any = CreateResourceRequest(memory, ResourceRequest.Any, priority
, 1);
ask.AddItem(nodeLocal);
ask.AddItem(rackLocal);
ask.AddItem(any);
scheduler.Allocate(appAttemptId, ask, new AList <ContainerId>(), null, null);
// Before the node update event, there are one local request
NUnit.Framework.Assert.AreEqual(1, nodeLocal.GetNumContainers());
NodeUpdateSchedulerEvent node0Update = new NodeUpdateSchedulerEvent(node0);
// Now schedule.
scheduler.Handle(node0Update);
// After the node update event, check no local request
NUnit.Framework.Assert.AreEqual(0, nodeLocal.GetNumContainers());
// Also check that one container was scheduled
SchedulerAppReport info = scheduler.GetSchedulerAppInfo(appAttemptId);
NUnit.Framework.Assert.AreEqual(1, info.GetLiveContainers().Count);
// And check the default Queue now is full.
queueInfo = scheduler.GetQueueInfo(null, false, false);
NUnit.Framework.Assert.AreEqual(1.0f, queueInfo.GetCurrentCapacity(), 0.0f);
}
public RMContextImpl(Dispatcher rmDispatcher, ContainerAllocationExpirer containerAllocationExpirer
, AMLivelinessMonitor amLivelinessMonitor, AMLivelinessMonitor amFinishingMonitor
, DelegationTokenRenewer delegationTokenRenewer, AMRMTokenSecretManager appTokenSecretManager
, RMContainerTokenSecretManager containerTokenSecretManager, NMTokenSecretManagerInRM
nmTokenSecretManager, ClientToAMTokenSecretManagerInRM clientToAMTokenSecretManager
)
: this(rmDispatcher, containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor
, delegationTokenRenewer, appTokenSecretManager, containerTokenSecretManager, nmTokenSecretManager
, clientToAMTokenSecretManager, null)
{
}
public _ResourceTrackerService_556(RMContext baseArg1, NodesListManager baseArg2,
NMLivelinessMonitor baseArg3, RMContainerTokenSecretManager baseArg4, NMTokenSecretManagerInRM
baseArg5)
: base(baseArg1, baseArg2, baseArg3, baseArg4, baseArg5)
{
}
/// <exception cref="System.Exception"/>
private void TestNMTokens(Configuration conf)
{
NMTokenSecretManagerInRM nmTokenSecretManagerRM = yarnCluster.GetResourceManager(
).GetRMContext().GetNMTokenSecretManager();
NMTokenSecretManagerInNM nmTokenSecretManagerNM = yarnCluster.GetNodeManager(0).GetNMContext
().GetNMTokenSecretManager();
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
NodeManager nm = yarnCluster.GetNodeManager(0);
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerNM, nm);
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerNM.GetCurrentKey().GetKeyId()
, nmTokenSecretManagerRM.GetCurrentKey().GetKeyId());
/*
* Below cases should be tested.
* 1) If Invalid NMToken is used then it should be rejected.
* 2) If valid NMToken but belonging to another Node is used then that
* too should be rejected.
* 3) NMToken for say appAttempt-1 is used for starting/stopping/retrieving
* status for container with containerId for say appAttempt-2 should
* be rejected.
* 4) After start container call is successful nmtoken should have been
* saved in NMTokenSecretManagerInNM.
* 5) If start container call was successful (no matter if container is
* still running or not), appAttempt->NMToken should be present in
* NMTokenSecretManagerInNM's cache. Any future getContainerStatus call
* for containerId belonging to that application attempt using
* applicationAttempt's older nmToken should not get any invalid
* nmToken error. (This can be best tested if we roll over NMToken
* master key twice).
*/
YarnRPC rpc = YarnRPC.Create(conf);
string user = "******";
Resource r = Resource.NewInstance(1024, 1);
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId validAppAttemptId = ApplicationAttemptId.NewInstance(appId,
1);
ContainerId validContainerId = ContainerId.NewContainerId(validAppAttemptId, 0);
NodeId validNode = yarnCluster.GetNodeManager(0).GetNMContext().GetNodeId();
NodeId invalidNode = NodeId.NewInstance("InvalidHost", 1234);
Token validNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(10), 1234);
ContainerTokenIdentifier identifier = BuilderUtils.NewContainerTokenIdentifier(validContainerToken
);
NUnit.Framework.Assert.AreEqual(Priority.NewInstance(10), identifier.GetPriority(
));
NUnit.Framework.Assert.AreEqual(1234, identifier.GetCreationTime());
StringBuilder sb;
// testInvalidNMToken ... creating NMToken using different secret manager.
NMTokenSecretManagerInRM tempManager = new NMTokenSecretManagerInRM(conf);
tempManager.RollMasterKey();
do
{
tempManager.RollMasterKey();
tempManager.ActivateNextMasterKey();
}while (tempManager.GetCurrentKey().GetKeyId() == nmTokenSecretManagerRM.GetCurrentKey
().GetKeyId());
// Making sure key id is different.
// Testing that NM rejects the requests when we don't send any token.
if (UserGroupInformation.IsSecurityEnabled())
{
sb = new StringBuilder("Client cannot authenticate via:[TOKEN]");
}
else
{
sb = new StringBuilder("SIMPLE authentication is not enabled. Available:[TOKEN]"
);
}
string errorMsg = TestStartContainer(rpc, validAppAttemptId, validNode, validContainerToken
, null, true);
NUnit.Framework.Assert.IsTrue(errorMsg.Contains(sb.ToString()));
Token invalidNMToken = tempManager.CreateNMToken(validAppAttemptId, validNode, user
);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId.ToString()).Append(" seems to have been generated illegally."
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// valid NMToken but belonging to other node
invalidNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, invalidNode
, user);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId).Append(" is not valid for current node manager.expected : "
).Append(validNode.ToString()).Append(" found : ").Append(invalidNode.ToString()
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// using correct tokens. nmtoken for app attempt should get saved.
conf.SetInt(YarnConfiguration.RmContainerAllocExpiryIntervalMs, 4 * 60 * 1000);
validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId));
// using a new compatible version nmtoken, expect container can be started
// successfully.
ApplicationAttemptId validAppAttemptId2 = ApplicationAttemptId.NewInstance(appId,
2);
ContainerId validContainerId2 = ContainerId.NewContainerId(validAppAttemptId2, 0);
Token validContainerToken2 = containerTokenSecretManager.CreateContainerToken(validContainerId2
, validNode, user, r, Priority.NewInstance(0), 0);
Token validNMToken2 = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId2, validNode
, user);
// First, get a new NMTokenIdentifier.
NMTokenIdentifier newIdentifier = new NMTokenIdentifier();
byte[] tokenIdentifierContent = ((byte[])validNMToken2.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
newIdentifier.ReadFields(dib);
// Then, generate a new version NMTokenIdentifier (NMTokenIdentifierNewForTest)
// with additional field of message.
NMTokenIdentifierNewForTest newVersionIdentifier = new NMTokenIdentifierNewForTest
(newIdentifier, "message");
// check new version NMTokenIdentifier has correct info.
NUnit.Framework.Assert.AreEqual("The ApplicationAttemptId is changed after set to "
+ "newVersionIdentifier", validAppAttemptId2.GetAttemptId(), newVersionIdentifier
.GetApplicationAttemptId().GetAttemptId());
NUnit.Framework.Assert.AreEqual("The message is changed after set to newVersionIdentifier"
, "message", newVersionIdentifier.GetMessage());
NUnit.Framework.Assert.AreEqual("The NodeId is changed after set to newVersionIdentifier"
, validNode, newVersionIdentifier.GetNodeId());
// create new Token based on new version NMTokenIdentifier.
Token newVersionedNMToken = BaseNMTokenSecretManager.NewInstance(nmTokenSecretManagerRM
.RetrievePassword(newVersionIdentifier), newVersionIdentifier);
// Verify startContainer is successful and no exception is thrown.
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId2, validNode
, validContainerToken2, newVersionedNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId2));
//Now lets wait till container finishes and is removed from node manager.
WaitForContainerToFinishOnNM(validContainerId);
sb = new StringBuilder("Attempt to relaunch the same container with id ");
sb.Append(validContainerId);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, true).Contains(sb.ToString()));
// Container is removed from node manager's memory by this time.
// trying to stop the container. It should not throw any exception.
TestStopContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken
, false);
// Rolling over master key twice so that we can check whether older keys
// are used for authentication.
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// Key rolled over once.. rolling over again
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// trying get container status. Now saved nmToken should be used for
// authentication... It should complain saying container was recently
// stopped.
sb = new StringBuilder("Container ");
sb.Append(validContainerId);
sb.Append(" was recently stopped on node manager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, true).Contains(sb.ToString()));
// Now lets remove the container from nm-memory
nm.GetNodeStatusUpdater().ClearFinishedContainersFromCache();
// This should fail as container is removed from recently tracked finished
// containers.
sb = new StringBuilder("Container ");
sb.Append(validContainerId.ToString());
sb.Append(" is not handled by this NodeManager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, false).Contains(sb.ToString()));
// using appAttempt-1 NMtoken for launching container for appAttempt-2 should
// succeed.
ApplicationAttemptId attempt2 = ApplicationAttemptId.NewInstance(appId, 2);
Token attempt1NMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token newContainerToken = containerTokenSecretManager.CreateContainerToken(ContainerId
.NewContainerId(attempt2, 1), validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, attempt2, validNode, newContainerToken
, attempt1NMToken, false).IsEmpty());
}
