/// <exception cref="System.Exception"/>
        private void VerifyAdministerQueueUserAccess()
        {
            isQueueUser = true;
            AccessControlList viewACL = new AccessControlList(string.Empty);

            viewACL.AddGroup(FriendlyGroup);
            AccessControlList modifyACL = new AccessControlList(string.Empty);

            modifyACL.AddUser(Friend);
            ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
            GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
                                                                                            >();

            appReportRequest.SetApplicationId(applicationId);
            KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
                                                                                       >();

            finishAppRequest.SetApplicationId(applicationId);
            ApplicationClientProtocol administerQueueUserRmClient = GetRMClientForUser(QueueAdminUser
                                                                                       );

            // View as the administerQueueUserRmClient
            administerQueueUserRmClient.GetApplicationReport(appReportRequest);
            // List apps as administerQueueUserRmClient
            NUnit.Framework.Assert.AreEqual("App view by queue-admin-user should list the apps!!"
                                            , 5, administerQueueUserRmClient.GetApplications(recordFactory.NewRecordInstance
                                                                                             <GetApplicationsRequest>()).GetApplicationList().Count);
            // Kill app as the administerQueueUserRmClient
            administerQueueUserRmClient.ForceKillApplication(finishAppRequest);
            resourceManager.WaitForState(applicationId, RMAppState.Killed);
        }
        /// <exception cref="System.Exception"/>
        private void VerifyOwnerAccess()
        {
            AccessControlList viewACL = new AccessControlList(string.Empty);

            viewACL.AddGroup(FriendlyGroup);
            AccessControlList modifyACL = new AccessControlList(string.Empty);

            modifyACL.AddUser(Friend);
            ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
            GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
                                                                                            >();

            appReportRequest.SetApplicationId(applicationId);
            KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
                                                                                       >();

            finishAppRequest.SetApplicationId(applicationId);
            // View as owner
            rmClient.GetApplicationReport(appReportRequest);
            // List apps as owner
            NUnit.Framework.Assert.AreEqual("App view by owner should list the apps!!", 1, rmClient
                                            .GetApplications(recordFactory.NewRecordInstance <GetApplicationsRequest>()).GetApplicationList
                                                ().Count);
            // Kill app as owner
            rmClient.ForceKillApplication(finishAppRequest);
            resourceManager.WaitForState(applicationId, RMAppState.Killed);
        }
Example #3
0
        /// <summary>
        /// Get an application report for the specified application id from the RM and
        /// fall back to the Application History Server if not found in RM.
        /// </summary>
        /// <param name="appId">id of the application to get.</param>
        /// <returns>the ApplicationReport for the appId.</returns>
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException">on any error.</exception>
        /// <exception cref="System.IO.IOException"/>
        public virtual AppReportFetcher.FetchedAppReport GetApplicationReport(ApplicationId
                                                                              appId)
        {
            GetApplicationReportRequest request = recordFactory.NewRecordInstance <GetApplicationReportRequest
                                                                                   >();

            request.SetApplicationId(appId);
            ApplicationReport appReport;

            AppReportFetcher.FetchedAppReport fetchedAppReport;
            try
            {
                appReport = applicationsManager.GetApplicationReport(request).GetApplicationReport
                                ();
                fetchedAppReport = new AppReportFetcher.FetchedAppReport(appReport, AppReportFetcher.AppReportSource
                                                                         .Rm);
            }
            catch (ApplicationNotFoundException e)
            {
                if (!isAHSEnabled)
                {
                    // Just throw it as usual if historyService is not enabled.
                    throw;
                }
                //Fetch the application report from AHS
                appReport        = historyManager.GetApplicationReport(request).GetApplicationReport();
                fetchedAppReport = new AppReportFetcher.FetchedAppReport(appReport, AppReportFetcher.AppReportSource
                                                                         .Ahs);
            }
            return(fetchedAppReport);
        }
        /// <exception cref="System.Exception"/>
        private void VerifyEnemyAccess()
        {
            AccessControlList viewACL = new AccessControlList(string.Empty);

            viewACL.AddGroup(FriendlyGroup);
            AccessControlList modifyACL = new AccessControlList(string.Empty);

            modifyACL.AddUser(Friend);
            ApplicationId applicationId = SubmitAppAndGetAppId(viewACL, modifyACL);
            GetApplicationReportRequest appReportRequest = recordFactory.NewRecordInstance <GetApplicationReportRequest
                                                                                            >();

            appReportRequest.SetApplicationId(applicationId);
            KillApplicationRequest finishAppRequest = recordFactory.NewRecordInstance <KillApplicationRequest
                                                                                       >();

            finishAppRequest.SetApplicationId(applicationId);
            ApplicationClientProtocol enemyRmClient = GetRMClientForUser(Enemy);
            // View as the enemy
            ApplicationReport appReport = enemyRmClient.GetApplicationReport(appReportRequest
                                                                             ).GetApplicationReport();

            VerifyEnemyAppReport(appReport);
            // List apps as enemy
            IList <ApplicationReport> appReports = enemyRmClient.GetApplications(recordFactory
                                                                                 .NewRecordInstance <GetApplicationsRequest>()).GetApplicationList();

            NUnit.Framework.Assert.AreEqual("App view by enemy should list the apps!!", 4, appReports
                                            .Count);
            foreach (ApplicationReport report in appReports)
            {
                VerifyEnemyAppReport(report);
            }
            // Kill app as the enemy
            try
            {
                enemyRmClient.ForceKillApplication(finishAppRequest);
                NUnit.Framework.Assert.Fail("App killing by the enemy should fail!!");
            }
            catch (YarnException e)
            {
                Log.Info("Got exception while killing app as the enemy", e);
                NUnit.Framework.Assert.IsTrue(e.Message.Contains("User enemy cannot perform operation MODIFY_APP on "
                                                                 + applicationId));
            }
            rmClient.ForceKillApplication(finishAppRequest);
        }
Example #5
0
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
        /// <exception cref="System.IO.IOException"/>
        public override ApplicationReport GetApplicationReport(ApplicationId appId)
        {
            GetApplicationReportResponse response = null;

            try
            {
                GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                      <GetApplicationReportRequest>();
                request.SetApplicationId(appId);
                response = rmClient.GetApplicationReport(request);
            }
            catch (ApplicationNotFoundException e)
            {
                if (!historyServiceEnabled)
                {
                    // Just throw it as usual if historyService is not enabled.
                    throw;
                }
                return(historyClient.GetApplicationReport(appId));
            }
            return(response.GetApplicationReport());
        }
        /// <exception cref="System.Exception"/>
        public virtual void TestClientTokenRace()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey();

            NUnit.Framework.Assert.IsNotNull(clientMasterKey);
            NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , null);
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Schedule the key to be set after a significant delay
            Timer     timer     = new Timer();
            TimerTask timerTask = new _TimerTask_516(am, clientMasterKey);

            timer.Schedule(timerTask, 250);
            // connect should pause waiting for the master key to arrive
            VerifyValidToken(conf, am, token);
            am.Stop();
            rm.Stop();
        }
        public virtual void TestClientToAMTokens()
        {
            conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol
                                                                                     >();
            StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse
                                                                             >();

            Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest
                                                                       )Matchers.Any())).ThenReturn(mockResponse);
            DrainDispatcher dispatcher = new DrainDispatcher();
            MockRM          rm         = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager
                                                                             );

            rm.Start();
            // Submit an app
            RMApp app = rm.SubmitApp(1024);
            // Set up a node.
            MockNM nm1 = rm.RegisterNode("localhost:1234", 3072);

            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            nm1.NodeHeartbeat(true);
            dispatcher.Await();
            ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId();
            MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app
                                       .GetCurrentAppAttempt().GetAppAttemptId());
            UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString
                                                                                    ());
            RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229
                                                                         (mockAM));
            // Get the app-report.
            GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                  <GetApplicationReportRequest>();

            request.SetApplicationId(app.GetApplicationId());
            GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport
                                                              (request);
            ApplicationReport appReport = reportResponse.GetApplicationReport();

            Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken
                                                                                   ();
            // ClientToAMToken master key should have been received on register
            // application master response.
            NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey());
            NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array
                                               ()).Length > 0);
            // Start the AM with the correct shared-secret.
            ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next
                                                    ();

            NUnit.Framework.Assert.IsNotNull(appAttemptId);
            TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId
                                                                                 , ((byte[])response.GetClientToAMTokenMasterKey().Array()));
            am.Init(conf);
            am.Start();
            // Now the real test!
            // Set up clients to be able to pick up correct tokens.
            SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo
                                                      ());
            // Verify denial for unauthenticated user
            try
            {
                TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol
                                                              )RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf);
                client.Ping();
                NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!");
            }
            catch (Exception)
            {
                NUnit.Framework.Assert.IsFalse(am.pinged);
            }
            Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils
                                                                                       .ConvertFromYarn(originalClientToAMToken, am.address);
            // Verify denial for a malicious user with tampered ID
            VerifyTokenWithTamperedID(conf, am, token);
            // Verify denial for a malicious user with tampered user-name
            VerifyTokenWithTamperedUserName(conf, am, token);
            // Now for an authenticated user
            VerifyValidToken(conf, am, token);
            // Verify for a new version token
            VerifyNewVersionToken(conf, am, token, rm);
            am.Stop();
            rm.Stop();
        }