Ejemplo n.º 1
0
        /// <exception cref="System.Exception"/>
        public virtual void TestClientTokenRace()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();

            NUnit.Framework.Assert.IsNotNull(clientMasterKey);
            NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , null);
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Schedule the key to be set after a significant delay
            Timer     timer     = new Timer();
            TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);

            timer.Schedule(timerTask, 250);
            // connect should pause waiting for the master key to arrive
            VerifyValidToken(conf, am, token);
            am.Stop();
            rm.Stop();
        }
Ejemplo n.º 2
0
        public virtual void TestClientToAMTokens()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
            NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
                                               ()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , ((byte[])response.GetClientToAMTokenMasterKey().Array()));
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            // Verify denial for unauthenticated user
            try
            {
                TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
                                                              )RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
                client.Ping();
                NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
            }
            catch (Exception)
            {
                NUnit.Framework.Assert.IsFalse(am.pinged);
            }
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Verify denial for a malicious user with tampered ID
            VerifyTokenWithTamperedID(conf, am, token);
            // Verify denial for a malicious user with tampered user-name
            VerifyTokenWithTamperedUserName(conf, am, token);
            // Now for an authenticated user
            VerifyValidToken(conf, am, token);
            // Verify for a new version token
            VerifyNewVersionToken(conf, am, token, rm);
            am.Stop();
            rm.Stop();
        }