// Test the DT mast key in the state-store when the mast key is being rolled.
/// <exception cref="System.Exception"/>
public virtual void TestRMDTMasterKeyStateOnRollingMasterKey()
{
MemoryRMStateStore memStore = new MemoryRMStateStore();
memStore.Init(conf);
RMStateStore.RMState rmState = memStore.GetState();
IDictionary <RMDelegationTokenIdentifier, long> rmDTState = rmState.GetRMDTSecretManagerState
().GetTokenState();
ICollection <DelegationKey> rmDTMasterKeyState = rmState.GetRMDTSecretManagerState
().GetMasterKeyState();
MockRM rm1 = new TestRMDelegationTokens.MyMockRM(this, conf, memStore);
rm1.Start();
// on rm start, two master keys are created.
// One is created at RMDTSecretMgr.startThreads.updateCurrentKey();
// the other is created on the first run of
// tokenRemoverThread.rollMasterKey()
RMDelegationTokenSecretManager dtSecretManager = rm1.GetRMContext().GetRMDelegationTokenSecretManager
();
// assert all master keys are saved
NUnit.Framework.Assert.AreEqual(dtSecretManager.GetAllMasterKeys(), rmDTMasterKeyState
);
ICollection <DelegationKey> expiringKeys = new HashSet <DelegationKey>();
Sharpen.Collections.AddAll(expiringKeys, dtSecretManager.GetAllMasterKeys());
// request to generate a RMDelegationToken
GetDelegationTokenRequest request = Org.Mockito.Mockito.Mock <GetDelegationTokenRequest
>();
Org.Mockito.Mockito.When(request.GetRenewer()).ThenReturn("renewer1");
GetDelegationTokenResponse response = rm1.GetClientRMService().GetDelegationToken
(request);
Org.Apache.Hadoop.Yarn.Api.Records.Token delegationToken = response.GetRMDelegationToken
();
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token1 = ConverterUtils
.ConvertFromYarn(delegationToken, (Text)null);
RMDelegationTokenIdentifier dtId1 = token1.DecodeIdentifier();
// For all keys that still remain in memory, we should have them stored
// in state-store also.
while (((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager
).numUpdatedKeys.Get() < 3)
{
((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager).CheckCurrentKeyInStateStore
(rmDTMasterKeyState);
Sharpen.Thread.Sleep(100);
}
// wait for token to expire and remove from state-store
// rollMasterKey is called every 1 second.
int count = 0;
while (rmDTState.Contains(dtId1) && count < 100)
{
Sharpen.Thread.Sleep(100);
count++;
}
rm1.Stop();
}
/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
/// <exception cref="System.IO.IOException"/>
public virtual CancelDelegationTokenResponse CancelDelegationToken(CancelDelegationTokenRequest
request)
{
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be cancelled only with kerberos authentication"
);
}
Org.Apache.Hadoop.Yarn.Api.Records.Token protoToken = request.GetDelegationToken(
);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<MRDelegationTokenIdentifier>(((byte[])protoToken.GetIdentifier().Array()), ((byte
[])protoToken.GetPassword().Array()), new Text(protoToken.GetKind()), new Text(protoToken
.GetService()));
string user = UserGroupInformation.GetCurrentUser().GetUserName();
this._enclosing.jhsDTSecretManager.CancelToken(token, user);
return(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <CancelDelegationTokenResponse
>());
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
public override void Cancel <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token
, Configuration conf)
{
Org.Apache.Hadoop.Yarn.Api.Records.Token dToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(token.GetIdentifier(), token.GetKind().ToString(), token.GetPassword
(), token.GetService().ToString());
MRClientProtocol histProxy = InstantiateHistoryProxy(conf, SecurityUtil.GetTokenServiceAddr
(token));
try
{
CancelDelegationTokenRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<CancelDelegationTokenRequest>();
request.SetDelegationToken(dToken);
histProxy.CancelDelegationToken(request);
}
finally
{
StopHistoryProxy(histProxy);
}
}
