/// <exception cref="System.Exception"/>
private void VerifyAdministerQueueUserAccess()
{
isQueueUser = true;
AccessControlList viewACL = new AccessControlList(string.Empty);
viewACL.AddGroup(FriendlyGroup);
AccessControlList modifyACL = new AccessControlList(string.Empty);
modifyACL.AddUser(Friend);
ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
>();
appReportRequest.SetApplicationId(applicationId);
KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
>();
finishAppRequest.SetApplicationId(applicationId);
ApplicationClientProtocol administerQueueUserRmClient = GetRMClientForUser(QueueAdminUser
);
// View as the administerQueueUserRmClient
administerQueueUserRmClient.GetApplicationReport(appReportRequest);
// List apps as administerQueueUserRmClient
NUnit.Framework.Assert.AreEqual("App view by queue-admin-user should list the apps!!"
, 5, administerQueueUserRmClient.GetApplications(recordFactory.NewRecordInstance
<GetApplicationsRequest>()).GetApplicationList().Count);
// Kill app as the administerQueueUserRmClient
administerQueueUserRmClient.ForceKillApplication(finishAppRequest);
resourceManager.WaitForState(applicationId, RMAppState.Killed);
}
/// <exception cref="System.Exception"/>
private void VerifyOwnerAccess()
{
AccessControlList viewACL = new AccessControlList(string.Empty);
viewACL.AddGroup(FriendlyGroup);
AccessControlList modifyACL = new AccessControlList(string.Empty);
modifyACL.AddUser(Friend);
ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
>();
appReportRequest.SetApplicationId(applicationId);
KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
>();
finishAppRequest.SetApplicationId(applicationId);
// View as owner
rmClient.GetApplicationReport(appReportRequest);
// List apps as owner
NUnit.Framework.Assert.AreEqual("App view by owner should list the apps!!", 1, rmClient
.GetApplications(recordFactory.NewRecordInstance <GetApplicationsRequest>()).GetApplicationList
().Count);
// Kill app as owner
rmClient.ForceKillApplication(finishAppRequest);
resourceManager.WaitForState(applicationId, RMAppState.Killed);
}
/// <summary>
/// Get an application report for the specified application id from the RM and
/// fall back to the Application History Server if not found in RM.
/// </summary>
/// <param name="appId">id of the application to get.</param>
/// <returns>the ApplicationReport for the appId.</returns>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException">on any error.</exception>
/// <exception cref="System.IO.IOException"/>
public virtual AppReportFetcher.FetchedAppReport GetApplicationReport(ApplicationId
appId)
{
GetApplicationReportRequest request = recordFactory.NewRecordInstance <GetApplicationReportRequest
>();
request.SetApplicationId(appId);
ApplicationReport appReport;
AppReportFetcher.FetchedAppReport fetchedAppReport;
try
{
appReport = applicationsManager.GetApplicationReport(request).GetApplicationReport
();
fetchedAppReport = new AppReportFetcher.FetchedAppReport(appReport, AppReportFetcher.AppReportSource
.Rm);
}
catch (ApplicationNotFoundException e)
{
if (!isAHSEnabled)
{
// Just throw it as usual if historyService is not enabled.
throw;
}
//Fetch the application report from AHS
appReport = historyManager.GetApplicationReport(request).GetApplicationReport();
fetchedAppReport = new AppReportFetcher.FetchedAppReport(appReport, AppReportFetcher.AppReportSource
.Ahs);
}
return(fetchedAppReport);
}
/// <exception cref="System.Exception"/>
private void VerifyEnemyAccess()
{
AccessControlList viewACL = new AccessControlList(string.Empty);
viewACL.AddGroup(FriendlyGroup);
AccessControlList modifyACL = new AccessControlList(string.Empty);
modifyACL.AddUser(Friend);
ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
>();
appReportRequest.SetApplicationId(applicationId);
KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
>();
finishAppRequest.SetApplicationId(applicationId);
ApplicationClientProtocol enemyRmClient = GetRMClientForUser(Enemy);
// View as the enemy
ApplicationReport appReport = enemyRmClient.GetApplicationReport(appReportRequest
).GetApplicationReport();
VerifyEnemyAppReport(appReport);
// List apps as enemy
IList <ApplicationReport> appReports = enemyRmClient.GetApplications(recordFactory
.NewRecordInstance <GetApplicationsRequest>()).GetApplicationList();
NUnit.Framework.Assert.AreEqual("App view by enemy should list the apps!!", 4, appReports
.Count);
foreach (ApplicationReport report in appReports)
{
VerifyEnemyAppReport(report);
}
// Kill app as the enemy
try
{
enemyRmClient.ForceKillApplication(finishAppRequest);
NUnit.Framework.Assert.Fail("App killing by the enemy should fail!!");
}
catch (YarnException e)
{
Log.Info("Got exception while killing app as the enemy", e);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("User enemy cannot perform operation MODIFY_APP on "
+ applicationId));
}
rmClient.ForceKillApplication(finishAppRequest);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public override ApplicationReport GetApplicationReport(ApplicationId appId)
{
GetApplicationReportResponse response = null;
try
{
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(appId);
response = rmClient.GetApplicationReport(request);
}
catch (ApplicationNotFoundException e)
{
if (!historyServiceEnabled)
{
// Just throw it as usual if historyService is not enabled.
throw;
}
return(historyClient.GetApplicationReport(appId));
}
return(response.GetApplicationReport());
}
/// <exception cref="System.Exception"/>
public virtual void TestClientTokenRace()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();
NUnit.Framework.Assert.IsNotNull(clientMasterKey);
NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, null);
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Schedule the key to be set after a significant delay
Timer timer = new Timer();
TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);
timer.Schedule(timerTask, 250);
// connect should pause waiting for the master key to arrive
VerifyValidToken(conf, am, token);
am.Stop();
rm.Stop();
}
public virtual void TestClientToAMTokens()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, ((byte[])response.GetClientToAMTokenMasterKey().Array()));
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
// Verify denial for unauthenticated user
try
{
TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
)RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
client.Ping();
NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
}
catch (Exception)
{
NUnit.Framework.Assert.IsFalse(am.pinged);
}
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Verify denial for a malicious user with tampered ID
VerifyTokenWithTamperedID(conf, am, token);
// Verify denial for a malicious user with tampered user-name
VerifyTokenWithTamperedUserName(conf, am, token);
// Now for an authenticated user
VerifyValidToken(conf, am, token);
// Verify for a new version token
VerifyNewVersionToken(conf, am, token, rm);
am.Stop();
rm.Stop();
}