/// <exception cref="System.Exception"/>
protected internal virtual void RollNMTokenMasterKey(NMTokenSecretManagerInRM nmTokenSecretManagerRM
, NMTokenSecretManagerInNM nmTokenSecretManagerNM)
{
int oldKeyId = nmTokenSecretManagerRM.GetCurrentKey().GetKeyId();
nmTokenSecretManagerRM.RollMasterKey();
int interval = 40;
while (nmTokenSecretManagerNM.GetCurrentKey().GetKeyId() == oldKeyId && interval--
> 0)
{
Sharpen.Thread.Sleep(1000);
}
nmTokenSecretManagerRM.ActivateNextMasterKey();
NUnit.Framework.Assert.IsTrue((nmTokenSecretManagerNM.GetCurrentKey().GetKeyId()
== nmTokenSecretManagerRM.GetCurrentKey().GetKeyId()));
}
/// <exception cref="System.Exception"/>
private void TestNMTokens(Configuration conf)
{
NMTokenSecretManagerInRM nmTokenSecretManagerRM = yarnCluster.GetResourceManager(
).GetRMContext().GetNMTokenSecretManager();
NMTokenSecretManagerInNM nmTokenSecretManagerNM = yarnCluster.GetNodeManager(0).GetNMContext
().GetNMTokenSecretManager();
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
NodeManager nm = yarnCluster.GetNodeManager(0);
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerNM, nm);
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerNM.GetCurrentKey().GetKeyId()
, nmTokenSecretManagerRM.GetCurrentKey().GetKeyId());
/*
* Below cases should be tested.
* 1) If Invalid NMToken is used then it should be rejected.
* 2) If valid NMToken but belonging to another Node is used then that
* too should be rejected.
* 3) NMToken for say appAttempt-1 is used for starting/stopping/retrieving
* status for container with containerId for say appAttempt-2 should
* be rejected.
* 4) After start container call is successful nmtoken should have been
* saved in NMTokenSecretManagerInNM.
* 5) If start container call was successful (no matter if container is
* still running or not), appAttempt->NMToken should be present in
* NMTokenSecretManagerInNM's cache. Any future getContainerStatus call
* for containerId belonging to that application attempt using
* applicationAttempt's older nmToken should not get any invalid
* nmToken error. (This can be best tested if we roll over NMToken
* master key twice).
*/
YarnRPC rpc = YarnRPC.Create(conf);
string user = "******";
Resource r = Resource.NewInstance(1024, 1);
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId validAppAttemptId = ApplicationAttemptId.NewInstance(appId,
1);
ContainerId validContainerId = ContainerId.NewContainerId(validAppAttemptId, 0);
NodeId validNode = yarnCluster.GetNodeManager(0).GetNMContext().GetNodeId();
NodeId invalidNode = NodeId.NewInstance("InvalidHost", 1234);
Token validNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(10), 1234);
ContainerTokenIdentifier identifier = BuilderUtils.NewContainerTokenIdentifier(validContainerToken
);
NUnit.Framework.Assert.AreEqual(Priority.NewInstance(10), identifier.GetPriority(
));
NUnit.Framework.Assert.AreEqual(1234, identifier.GetCreationTime());
StringBuilder sb;
// testInvalidNMToken ... creating NMToken using different secret manager.
NMTokenSecretManagerInRM tempManager = new NMTokenSecretManagerInRM(conf);
tempManager.RollMasterKey();
do
{
tempManager.RollMasterKey();
tempManager.ActivateNextMasterKey();
}while (tempManager.GetCurrentKey().GetKeyId() == nmTokenSecretManagerRM.GetCurrentKey
().GetKeyId());
// Making sure key id is different.
// Testing that NM rejects the requests when we don't send any token.
if (UserGroupInformation.IsSecurityEnabled())
{
sb = new StringBuilder("Client cannot authenticate via:[TOKEN]");
}
else
{
sb = new StringBuilder("SIMPLE authentication is not enabled. Available:[TOKEN]"
);
}
string errorMsg = TestStartContainer(rpc, validAppAttemptId, validNode, validContainerToken
, null, true);
NUnit.Framework.Assert.IsTrue(errorMsg.Contains(sb.ToString()));
Token invalidNMToken = tempManager.CreateNMToken(validAppAttemptId, validNode, user
);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId.ToString()).Append(" seems to have been generated illegally."
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// valid NMToken but belonging to other node
invalidNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, invalidNode
, user);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId).Append(" is not valid for current node manager.expected : "
).Append(validNode.ToString()).Append(" found : ").Append(invalidNode.ToString()
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// using correct tokens. nmtoken for app attempt should get saved.
conf.SetInt(YarnConfiguration.RmContainerAllocExpiryIntervalMs, 4 * 60 * 1000);
validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId));
// using a new compatible version nmtoken, expect container can be started
// successfully.
ApplicationAttemptId validAppAttemptId2 = ApplicationAttemptId.NewInstance(appId,
2);
ContainerId validContainerId2 = ContainerId.NewContainerId(validAppAttemptId2, 0);
Token validContainerToken2 = containerTokenSecretManager.CreateContainerToken(validContainerId2
, validNode, user, r, Priority.NewInstance(0), 0);
Token validNMToken2 = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId2, validNode
, user);
// First, get a new NMTokenIdentifier.
NMTokenIdentifier newIdentifier = new NMTokenIdentifier();
byte[] tokenIdentifierContent = ((byte[])validNMToken2.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
newIdentifier.ReadFields(dib);
// Then, generate a new version NMTokenIdentifier (NMTokenIdentifierNewForTest)
// with additional field of message.
NMTokenIdentifierNewForTest newVersionIdentifier = new NMTokenIdentifierNewForTest
(newIdentifier, "message");
// check new version NMTokenIdentifier has correct info.
NUnit.Framework.Assert.AreEqual("The ApplicationAttemptId is changed after set to "
+ "newVersionIdentifier", validAppAttemptId2.GetAttemptId(), newVersionIdentifier
.GetApplicationAttemptId().GetAttemptId());
NUnit.Framework.Assert.AreEqual("The message is changed after set to newVersionIdentifier"
, "message", newVersionIdentifier.GetMessage());
NUnit.Framework.Assert.AreEqual("The NodeId is changed after set to newVersionIdentifier"
, validNode, newVersionIdentifier.GetNodeId());
// create new Token based on new version NMTokenIdentifier.
Token newVersionedNMToken = BaseNMTokenSecretManager.NewInstance(nmTokenSecretManagerRM
.RetrievePassword(newVersionIdentifier), newVersionIdentifier);
// Verify startContainer is successful and no exception is thrown.
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId2, validNode
, validContainerToken2, newVersionedNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId2));
//Now lets wait till container finishes and is removed from node manager.
WaitForContainerToFinishOnNM(validContainerId);
sb = new StringBuilder("Attempt to relaunch the same container with id ");
sb.Append(validContainerId);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, true).Contains(sb.ToString()));
// Container is removed from node manager's memory by this time.
// trying to stop the container. It should not throw any exception.
TestStopContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken
, false);
// Rolling over master key twice so that we can check whether older keys
// are used for authentication.
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// Key rolled over once.. rolling over again
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// trying get container status. Now saved nmToken should be used for
// authentication... It should complain saying container was recently
// stopped.
sb = new StringBuilder("Container ");
sb.Append(validContainerId);
sb.Append(" was recently stopped on node manager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, true).Contains(sb.ToString()));
// Now lets remove the container from nm-memory
nm.GetNodeStatusUpdater().ClearFinishedContainersFromCache();
// This should fail as container is removed from recently tracked finished
// containers.
sb = new StringBuilder("Container ");
sb.Append(validContainerId.ToString());
sb.Append(" is not handled by this NodeManager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, false).Contains(sb.ToString()));
// using appAttempt-1 NMtoken for launching container for appAttempt-2 should
// succeed.
ApplicationAttemptId attempt2 = ApplicationAttemptId.NewInstance(appId, 2);
Token attempt1NMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token newContainerToken = containerTokenSecretManager.CreateContainerToken(ContainerId
.NewContainerId(attempt2, 1), validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, attempt2, validNode, newContainerToken
, attempt1NMToken, false).IsEmpty());
}
/// <exception cref="System.Exception"/>
public virtual void TestNMToken()
{
MockRM rm = new MockRM(conf);
try
{
rm.Start();
MockNM nm1 = rm.RegisterNode("h1:1234", 10000);
NMTokenSecretManagerInRM nmTokenSecretManager = rm.GetRMContext().GetNMTokenSecretManager
();
// submitting new application
RMApp app = rm.SubmitApp(1000);
// start scheduling.
nm1.NodeHeartbeat(true);
// Starting application attempt and launching
// It should get registered with NMTokenSecretManager.
RMAppAttempt attempt = app.GetCurrentAppAttempt();
MockAM am = rm.SendAMLaunched(attempt.GetAppAttemptId());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
// This will register application master.
am.RegisterAppAttempt();
AList <Container> containersReceivedForNM1 = new AList <Container>();
IList <ContainerId> releaseContainerList = new AList <ContainerId>();
Dictionary <string, Token> nmTokens = new Dictionary <string, Token>();
// initially requesting 2 containers.
AllocateResponse response = am.Allocate("h1", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM1, 2, nmTokens,
nm1);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// requesting 2 more containers.
response = am.Allocate("h1", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM1, 4, nmTokens,
nm1);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// We will be simulating NM restart so restarting newly added h2:1234
// NM 2 now registers.
MockNM nm2 = rm.RegisterNode("h2:1234", 10000);
nm2.NodeHeartbeat(true);
AList <Container> containersReceivedForNM2 = new AList <Container>();
response = am.Allocate("h2", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 2, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(2, nmTokens.Count);
// Simulating NM-2 restart.
nm2 = rm.RegisterNode("h2:1234", 10000);
// Wait for reconnect to make it through the RM and create a new RMNode
IDictionary <NodeId, RMNode> nodes = rm.GetRMContext().GetRMNodes();
while (nodes[nm2.GetNodeId()].GetLastNodeHeartBeatResponse().GetResponseId() > 0)
{
Sharpen.Thread.Sleep(WaitSleepMs);
}
int interval = 40;
// Wait for nm Token to be cleared.
while (nmTokenSecretManager.IsApplicationAttemptNMTokenPresent(attempt.GetAppAttemptId
(), nm2.GetNodeId()) && interval-- > 0)
{
Log.Info("waiting for nmToken to be cleared for : " + nm2.GetNodeId());
Sharpen.Thread.Sleep(WaitSleepMs);
}
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
// removing NMToken for h2:1234
Sharpen.Collections.Remove(nmTokens, nm2.GetNodeId().ToString());
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
// We should again receive the NMToken.
response = am.Allocate("h2", 1000, 2, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 4, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(2, nmTokens.Count);
// Now rolling over NMToken masterKey. it should resend the NMToken in
// next allocate call.
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm1.GetNodeId()));
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
nmTokenSecretManager.RollMasterKey();
nmTokenSecretManager.ActivateNextMasterKey();
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm1.GetNodeId()));
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
// It should not remove application attempt entry.
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
nmTokens.Clear();
NUnit.Framework.Assert.AreEqual(0, nmTokens.Count);
// We should again receive the NMToken.
response = am.Allocate("h2", 1000, 1, releaseContainerList);
NUnit.Framework.Assert.AreEqual(0, response.GetAllocatedContainers().Count);
AllocateContainersAndValidateNMTokens(am, containersReceivedForNM2, 5, nmTokens,
nm2);
NUnit.Framework.Assert.AreEqual(1, nmTokens.Count);
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptNMTokenPresent
(attempt.GetAppAttemptId(), nm2.GetNodeId()));
// After AM is finished making sure that nmtoken entry for app
NUnit.Framework.Assert.IsTrue(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
am.UnregisterAppAttempt();
// marking all the containers as finished.
foreach (Container container in containersReceivedForNM1)
{
nm1.NodeHeartbeat(attempt.GetAppAttemptId(), container.GetId().GetContainerId(),
ContainerState.Complete);
}
foreach (Container container_1 in containersReceivedForNM2)
{
nm2.NodeHeartbeat(attempt.GetAppAttemptId(), container_1.GetId().GetContainerId()
, ContainerState.Complete);
}
nm1.NodeHeartbeat(am.GetApplicationAttemptId(), 1, ContainerState.Complete);
am.WaitForState(RMAppAttemptState.Finished);
NUnit.Framework.Assert.IsFalse(nmTokenSecretManager.IsApplicationAttemptRegistered
(attempt.GetAppAttemptId()));
}
finally
{
rm.Stop();
}
}