/// <exception cref="System.IO.IOException"/>
private NMTokenIdentifier GetNMTokenId(Org.Apache.Hadoop.Yarn.Api.Records.Token token
)
{
Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> convertedToken = ConverterUtils
.ConvertFromYarn(token, (Text)null);
return(convertedToken.DecodeIdentifier());
}
// Get the delegation token directly as it is a little difficult to setup
// the kerberos based rpc.
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private Org.Apache.Hadoop.Yarn.Api.Records.Token GetDelegationToken(UserGroupInformation
loggedInUser, ApplicationClientProtocol clientRMService, string renewerString)
{
Org.Apache.Hadoop.Yarn.Api.Records.Token token = loggedInUser.DoAs(new _PrivilegedExceptionAction_405
(renewerString, clientRMService));
return(token);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private long RenewDelegationToken(UserGroupInformation loggedInUser, ApplicationClientProtocol
clientRMService, Org.Apache.Hadoop.Yarn.Api.Records.Token dToken)
{
long nextExpTime = loggedInUser.DoAs(new _PrivilegedExceptionAction_423(dToken, clientRMService
));
return(nextExpTime);
}
/// <exception cref="System.IO.IOException"/>
public static ContainerTokenIdentifier NewContainerTokenIdentifier(Org.Apache.Hadoop.Yarn.Api.Records.Token
containerToken)
{
Org.Apache.Hadoop.Security.Token.Token <ContainerTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<ContainerTokenIdentifier>(((byte[])containerToken.GetIdentifier().Array()), ((byte
[])containerToken.GetPassword().Array()), new Text(containerToken.GetKind()), new
Text(containerToken.GetService()));
return(token.DecodeIdentifier());
}
/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerTokenWithEpoch(Configuration conf)
{
Log.Info("Running test for serializing/deserializing containerIds");
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
// Creating a normal Container Token
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
);
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID());
NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID
().ToString());
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false);
IList <ContainerId> containerIds = new List <ContainerId>();
containerIds.AddItem(cId);
ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken
, nodeId, user);
GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest
.NewInstance(containerIds));
NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]);
NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId
());
NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId
().ToString());
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public override Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> GetAMRMToken
(ApplicationId appId)
{
Org.Apache.Hadoop.Yarn.Api.Records.Token token = GetApplicationReport(appId).GetAMRMToken
();
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = null;
if (token != null)
{
amrmToken = ConverterUtils.ConvertFromYarn(token, (Text)null);
}
return(amrmToken);
}
public static Org.Apache.Hadoop.Yarn.Api.Records.Token NewContainerToken(NodeId nodeId
, byte[] password, ContainerTokenIdentifier tokenIdentifier)
{
// RPC layer client expects ip:port as service for tokens
IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort
());
// NOTE: use SecurityUtil.setTokenService if this becomes a "real" token
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(tokenIdentifier.GetBytes(), ContainerTokenIdentifier.Kind.ToString(
), password, SecurityUtil.BuildTokenService(addr).ToString());
return(containerToken);
}
/// <summary>Convert a protobuf token into a rpc token and set its service.</summary>
/// <param name="protoToken">the yarn token</param>
/// <param name="service">the service for the token</param>
public static Org.Apache.Hadoop.Security.Token.Token <T> ConvertFromYarn <T>(Org.Apache.Hadoop.Yarn.Api.Records.Token
protoToken, Text service)
where T : TokenIdentifier
{
Org.Apache.Hadoop.Security.Token.Token <T> token = new Org.Apache.Hadoop.Security.Token.Token
<T>(((byte[])protoToken.GetIdentifier().Array()), ((byte[])protoToken.GetPassword
().Array()), new Text(protoToken.GetKind()), new Text(protoToken.GetService()));
if (service != null)
{
token.SetService(service);
}
return(token);
}
public static Org.Apache.Hadoop.Yarn.Api.Records.Token NewInstance(byte[] password
, NMTokenIdentifier identifier)
{
NodeId nodeId = identifier.GetNodeId();
// RPC layer client expects ip:port as service for tokens
IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort
());
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(identifier.GetBytes(), NMTokenIdentifier.Kind.ToString(), password,
SecurityUtil.BuildTokenService(addr).ToString());
return(nmToken);
}
/// <exception cref="System.IO.IOException"/>
private ContainerTokenIdentifier GetContainerTokenIdentifierFromToken(Org.Apache.Hadoop.Yarn.Api.Records.Token
containerToken)
{
ContainerTokenIdentifier containerTokenIdentifier;
containerTokenIdentifier = new ContainerTokenIdentifier();
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
return(containerTokenIdentifier);
}
/// <exception cref="System.IO.IOException"/>
private static ContainerTokenIdentifier CreateContainerTokenId(ContainerId cid, NodeId
nodeId, string user, NMContainerTokenSecretManager secretMgr)
{
long rmid = cid.GetApplicationAttemptId().GetApplicationId().GetClusterTimestamp(
);
ContainerTokenIdentifier ctid = new ContainerTokenIdentifier(cid, nodeId.ToString
(), user, BuilderUtils.NewResource(1024, 1), Runtime.CurrentTimeMillis() + 100000L
, secretMgr.GetCurrentKey().GetKeyId(), rmid, Priority.NewInstance(0), 0);
Org.Apache.Hadoop.Yarn.Api.Records.Token token = BuilderUtils.NewContainerToken(nodeId
, secretMgr.CreatePassword(ctid), ctid);
return(BuilderUtils.NewContainerTokenIdentifier(token));
}
private ApplicationClientProtocol GetClientRMProtocolWithDT(Org.Apache.Hadoop.Yarn.Api.Records.Token
token, IPEndPoint rmAddress, string user, Configuration conf)
{
// Maybe consider converting to Hadoop token, serialize de-serialize etc
// before trying to renew the token.
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);
ugi.AddToken(ConverterUtils.ConvertFromYarn(token, rmAddress));
YarnRPC rpc = YarnRPC.Create(conf);
ApplicationClientProtocol clientRMWithDT = ugi.DoAs(new _PrivilegedAction_464(rpc
, rmAddress, conf));
return(clientRMWithDT);
}
protected internal virtual ContainerManagementProtocol GetContainerManagementProtocolProxy
(YarnRPC rpc, Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken, NodeId nodeId, string
user)
{
ContainerManagementProtocol proxy;
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);
IPEndPoint addr = NetUtils.CreateSocketAddr(nodeId.GetHost(), nodeId.GetPort());
if (nmToken != null)
{
ugi.AddToken(ConverterUtils.ConvertFromYarn(nmToken, addr));
}
proxy = NMProxy.CreateNMProxy <ContainerManagementProtocol>(conf, ugi, rpc, addr);
return(proxy);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual AllocateResponse Allocate(AllocateRequest request)
{
NUnit.Framework.Assert.AreEqual("response ID mismatch", responseId, request.GetResponseId
());
++responseId;
Org.Apache.Hadoop.Yarn.Api.Records.Token yarnToken = null;
if (amToken != null)
{
yarnToken = Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(amToken.GetIdentifier
(), amToken.GetKind().ToString(), amToken.GetPassword(), amToken.GetService().ToString
());
}
return(AllocateResponse.NewInstance(responseId, Collections.EmptyList <ContainerStatus
>(), Collections.EmptyList <Container>(), Collections.EmptyList <NodeReport>(), Resources
.None(), null, 1, null, Collections.EmptyList <NMToken>(), yarnToken, Collections
.EmptyList <ContainerResourceIncrease>(), Collections.EmptyList <ContainerResourceDecrease
>()));
}
public GetDelegationTokenResponse Answer(InvocationOnMock invocation)
{
GetDelegationTokenRequest request = (GetDelegationTokenRequest)invocation.GetArguments
()[0];
NUnit.Framework.Assert.AreEqual(masterPrincipal, request.GetRenewer());
Org.Apache.Hadoop.Yarn.Api.Records.Token token = TestYARNRunner.recordFactory.NewRecordInstance
<Org.Apache.Hadoop.Yarn.Api.Records.Token>();
token.SetKind(string.Empty);
token.SetService(string.Empty);
token.SetIdentifier(ByteBuffer.Allocate(0));
token.SetPassword(ByteBuffer.Allocate(0));
GetDelegationTokenResponse tokenResponse = TestYARNRunner.recordFactory.NewRecordInstance
<GetDelegationTokenResponse>();
tokenResponse.SetDelegationToken(token);
return(tokenResponse);
}
/// <exception cref="System.Exception"/>
public virtual void TestGetHSDelegationToken()
{
try
{
Configuration conf = new Configuration();
// Setup mock service
IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444);
Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress);
IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200);
Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress);
// Setup mock rm token
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new
Text("owner"), new Text("renewer"), new Text("real"));
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind(
), rmTokenSevice);
token.SetKind(RMDelegationTokenIdentifier.KindName);
// Setup mock history token
Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte
[0], hsTokenSevice.ToString());
GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetDelegationTokenResponse>();
getDtResponse.SetDelegationToken(historyToken);
// mock services
MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>();
Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress();
Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken(
Matchers.Any <GetDelegationTokenRequest>());
ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>();
Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService
();
ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>();
Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy
();
Credentials creds = new Credentials();
YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache);
// No HS token if no RM token
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No HS token if RM token, but secirity disabled.
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
creds = new Credentials();
// No HS token if no RM token, security enabled
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// HS token if RM token present, security enabled
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No additional call to get HS token if RM and HS token present
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
}
finally
{
// Back to defaults.
UserGroupInformation.SetConfiguration(new Configuration());
}
}
public virtual void TestDelegationToken()
{
YarnConfiguration conf = new YarnConfiguration();
conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ResourceScheduler scheduler = CreateMockScheduler(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager
(initialInterval, maxLifetime, renewInterval);
rmDtSecretManager.StartThreads();
Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval
+ ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval);
ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this
, conf, scheduler, rmDtSecretManager);
clientRMService.Init(conf);
clientRMService.Start();
ApplicationClientProtocol clientRMWithDT = null;
try
{
// Create a user for the renewr and fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
long tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser1", conf);
GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <
GetNewApplicationRequest>();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType
().FullName);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, clientRMService, token);
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
// Creating a new connection.
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
catch (YarnException)
{
}
// Test new version token
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array());
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
tokenIdentifier.ReadFields(dib);
// Construct new version RMDelegationTokenIdentifier with additional field
RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest
(tokenIdentifier, "message");
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken =
new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier
, rmDtSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken
(newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword
(), newRMDTtoken.GetService().ToString());
// Now try talking to RMService using the new version delegation token
clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress
(), "loginuser3", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
}
finally
{
rmDtSecretManager.StopThreads();
// TODO PRECOMMIT Close proxies.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
}
}
}
/// <exception cref="System.Exception"/>
public virtual void TestClientTokenRace()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();
NUnit.Framework.Assert.IsNotNull(clientMasterKey);
NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, null);
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Schedule the key to be set after a significant delay
Timer timer = new Timer();
TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);
timer.Schedule(timerTask, 250);
// connect should pause waiting for the master key to arrive
VerifyValidToken(conf, am, token);
am.Stop();
rm.Stop();
}
public _PrivilegedExceptionAction_440(Org.Apache.Hadoop.Yarn.Api.Records.Token dToken
, ApplicationClientProtocol clientRMService)
{
this.dToken = dToken;
this.clientRMService = clientRMService;
}
public static ApplicationReport NewApplicationReport(ApplicationId applicationId,
ApplicationAttemptId applicationAttemptId, string user, string queue, string name
, string host, int rpcPort, Org.Apache.Hadoop.Yarn.Api.Records.Token clientToAMToken
, YarnApplicationState state, string diagnostics, string url, long startTime, long
finishTime, FinalApplicationStatus finalStatus, ApplicationResourceUsageReport
appResources, string origTrackingUrl, float progress, string appType, Org.Apache.Hadoop.Yarn.Api.Records.Token
amRmToken, ICollection <string> tags)
{
ApplicationReport report = recordFactory.NewRecordInstance <ApplicationReport>();
report.SetApplicationId(applicationId);
report.SetCurrentApplicationAttemptId(applicationAttemptId);
report.SetUser(user);
report.SetQueue(queue);
report.SetName(name);
report.SetHost(host);
report.SetRpcPort(rpcPort);
report.SetClientToAMToken(clientToAMToken);
report.SetYarnApplicationState(state);
report.SetDiagnostics(diagnostics);
report.SetTrackingUrl(url);
report.SetStartTime(startTime);
report.SetFinishTime(finishTime);
report.SetFinalApplicationStatus(finalStatus);
report.SetApplicationResourceUsageReport(appResources);
report.SetOriginalTrackingUrl(origTrackingUrl);
report.SetProgress(progress);
report.SetApplicationType(appType);
report.SetAMRMToken(amRmToken);
report.SetApplicationTags(tags);
return(report);
}
/// <summary>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc..
/// </summary>
/// <remarks>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc.. His/her containers should be
/// rejected.
/// </remarks>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerToken(Configuration conf)
{
Log.Info("Running test for malice user");
/*
* We need to check for containerToken (authorization).
* Here we will be assuming that we have valid NMToken
* 1) ContainerToken used is expired.
* 2) ContainerToken is tampered (resource is modified).
*/
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = GetContainerTokenIdentifierFromToken
(containerToken);
// Verify new compatible version ContainerTokenIdentifier can work successfully.
ContainerTokenIdentifierForTest newVersionTokenIdentifier = new ContainerTokenIdentifierForTest
(containerTokenIdentifier, "message");
byte[] password = containerTokenSecretManager.CreatePassword(newVersionTokenIdentifier
);
Org.Apache.Hadoop.Yarn.Api.Records.Token newContainerToken = BuilderUtils.NewContainerToken
(nodeId, password, newVersionTokenIdentifier);
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, newContainerToken
, nmToken, false).IsEmpty());
// Creating a tampered Container Token
RMContainerTokenSecretManager tamperedContainerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
tamperedContainerTokenSecretManager.RollMasterKey();
do
{
tamperedContainerTokenSecretManager.RollMasterKey();
tamperedContainerTokenSecretManager.ActivateNextMasterKey();
}while (containerTokenSecretManager.GetCurrentKey().GetKeyId() == tamperedContainerTokenSecretManager
.GetCurrentKey().GetKeyId());
ContainerId cId2 = ContainerId.NewContainerId(appAttemptId, 1);
// Creating modified containerToken
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken2 = tamperedContainerTokenSecretManager
.CreateContainerToken(cId2, nodeId, user, r, Priority.NewInstance(0), 0);
StringBuilder sb = new StringBuilder("Given Container ");
sb.Append(cId2);
sb.Append(" seems to have an illegally generated token.");
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, containerToken2
, nmToken, true).Contains(sb.ToString()));
}
public virtual void TestClientToAMTokens()
{
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
>();
StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
>();
Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
)Matchers.Any())).ThenReturn(mockResponse);
DrainDispatcher dispatcher = new DrainDispatcher();
MockRM rm = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
);
rm.Start();
// Submit an app
RMApp app = rm.SubmitApp(1024);
// Set up a node.
MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);
nm1.NodeHeartbeat(true);
dispatcher.Await();
nm1.NodeHeartbeat(true);
dispatcher.Await();
ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
.GetCurrentAppAttempt().GetAppAttemptId());
UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
());
RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
(mockAM));
// Get the app-report.
GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetApplicationReportRequest>();
request.SetApplicationId(app.GetApplicationId());
GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
(request);
ApplicationReport appReport = reportResponse.GetApplicationReport();
Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
();
// ClientToAMToken master key should have been received on register
// application master response.
NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
()).Length > 0);
// Start the AM with the correct shared-secret.
ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
();
NUnit.Framework.Assert.IsNotNull(appAttemptId);
TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
, ((byte[])response.GetClientToAMTokenMasterKey().Array()));
am.Init(conf);
am.Start();
// Now the real test!
// Set up clients to be able to pick up correct tokens.
SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
());
// Verify denial for unauthenticated user
try
{
TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
)RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
client.Ping();
NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
}
catch (Exception)
{
NUnit.Framework.Assert.IsFalse(am.pinged);
}
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
.ConvertFromYarn(originalClientToAMToken, am.address);
// Verify denial for a malicious user with tampered ID
VerifyTokenWithTamperedID(conf, am, token);
// Verify denial for a malicious user with tampered user-name
VerifyTokenWithTamperedUserName(conf, am, token);
// Now for an authenticated user
VerifyValidToken(conf, am, token);
// Verify for a new version token
VerifyNewVersionToken(conf, am, token, rm);
am.Stop();
rm.Stop();
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void CancelDelegationToken(UserGroupInformation loggedInUser, ApplicationClientProtocol
clientRMService, Org.Apache.Hadoop.Yarn.Api.Records.Token dToken)
{
loggedInUser.DoAs(new _PrivilegedExceptionAction_440(dToken, clientRMService));
}
