Example #1
0
                protected internal override AMRMTokenSecretManager CreateAMRMTokenSecretManager(Configuration
                                                                                                conf, RMContext rmContext)
                {
                    AMRMTokenSecretManager spySecretMgr = Org.Mockito.Mockito.Spy(base.CreateAMRMTokenSecretManager
                                                                                      (conf, rmContext));

                    spySecretMgrRef.Set(spySecretMgr);
                    return(spySecretMgr);
                }
Example #2
0
        // To avoid using cached client
        /// <exception cref="System.Exception"/>
        public virtual void TestAMRMMasterKeysUpdate()
        {
            AtomicReference <AMRMTokenSecretManager> spySecretMgrRef = new AtomicReference <AMRMTokenSecretManager
                                                                                            >();
            MockRM rm = new _MockRM_349(this, spySecretMgrRef, conf);

            // Skip the login.
            rm.Start();
            MockNM nm  = rm.RegisterNode("127.0.0.1:1234", 8000);
            RMApp  app = rm.SubmitApp(200);
            MockAM am  = MockRM.LaunchAndRegisterAM(app, rm, nm);
            AMRMTokenSecretManager spySecretMgr = spySecretMgrRef.Get();
            // Do allocate. Should not update AMRMToken
            AllocateResponse response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                    <AllocateRequest>());

            NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = rm.GetRMContext
                                                                                        ().GetRMApps()[app.GetApplicationId()].GetRMAppAttempt(am.GetApplicationAttemptId
                                                                                                                                                   ()).GetAMRMToken();
            // roll over the master key
            // Do allocate again. the AM should get the latest AMRMToken
            rm.GetRMContext().GetAMRMTokenSecretManager().RollMasterKey();
            response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
                                                                                  >());
            NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken());
            Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = ConverterUtils
                                                                                     .ConvertFromYarn(response.GetAMRMToken(), new Text(response.GetAMRMToken().GetService
                                                                                                                                            ()));
            NUnit.Framework.Assert.AreEqual(amrmToken.DecodeIdentifier().GetKeyId(), rm.GetRMContext
                                                ().GetAMRMTokenSecretManager().GetMasterKey().GetMasterKey().GetKeyId());
            // Do allocate again with the same old token and verify the RM sends
            // back the last generated token instead of generating it again.
            Org.Mockito.Mockito.Reset(spySecretMgr);
            UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(am.GetApplicationAttemptId
                                                                                     ().ToString(), new string[0]);

            ugi.AddTokenIdentifier(oldToken.DecodeIdentifier());
            response = am.DoAllocateAs(ugi, Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
                                                                                           >());
            NUnit.Framework.Assert.IsNotNull(response.GetAMRMToken());
            Org.Mockito.Mockito.Verify(spySecretMgr, Org.Mockito.Mockito.Never()).CreateAndGetAMRMToken
                (Matchers.IsA <ApplicationAttemptId>());
            // Do allocate again with the updated token and verify we do not
            // receive a new token to use.
            response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
                                                                                  >());
            NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
            // Activate the next master key. Since there is new master key generated
            // in AMRMTokenSecretManager. The AMRMToken will not get updated for AM
            rm.GetRMContext().GetAMRMTokenSecretManager().ActivateNextMasterKey();
            response = am.Allocate(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
                                                                                  >());
            NUnit.Framework.Assert.IsNull(response.GetAMRMToken());
            rm.Stop();
        }
 internal NextKeyActivator(AMRMTokenSecretManager _enclosing)
 {
     this._enclosing = _enclosing;
 }
Example #4
0
        public virtual void TestMasterKeyRollOver()
        {
            conf.SetLong(YarnConfiguration.RmAmrmTokenMasterKeyRollingIntervalSecs, rolling_interval_sec
                         );
            conf.SetLong(YarnConfiguration.RmAmExpiryIntervalMs, am_expire_ms);
            TestAMAuthorization.MyContainerManager containerManager = new TestAMAuthorization.MyContainerManager
                                                                          ();
            TestAMAuthorization.MockRMWithAMS rm = new TestAMAuthorization.MockRMWithAMS(conf
                                                                                         , containerManager);
            rm.Start();
            long                      startTime             = Runtime.CurrentTimeMillis();
            Configuration             conf                  = rm.GetConfig();
            YarnRPC                   rpc                   = YarnRPC.Create(conf);
            ApplicationMasterProtocol rmClient              = null;
            AMRMTokenSecretManager    appTokenSecretManager = rm.GetRMContext().GetAMRMTokenSecretManager
                                                                  ();
            MasterKeyData oldKey = appTokenSecretManager.GetMasterKey();

            NUnit.Framework.Assert.IsNotNull(oldKey);
            try
            {
                MockNM nm1 = rm.RegisterNode("localhost:1234", 5120);
                RMApp  app = rm.SubmitApp(1024);
                nm1.NodeHeartbeat(true);
                int waitCount = 0;
                while (containerManager.containerTokens == null && waitCount++ < maxWaitAttempts)
                {
                    Log.Info("Waiting for AM Launch to happen..");
                    Sharpen.Thread.Sleep(1000);
                }
                NUnit.Framework.Assert.IsNotNull(containerManager.containerTokens);
                RMAppAttempt         attempt = app.GetCurrentAppAttempt();
                ApplicationAttemptId applicationAttemptId = attempt.GetAppAttemptId();
                // Create a client to the RM.
                UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(applicationAttemptId
                                                                                         .ToString());
                Credentials credentials   = containerManager.GetContainerCredentials();
                IPEndPoint  rmBindAddress = rm.GetApplicationMasterService().GetBindAddress();
                Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> amRMToken = TestAMAuthorization.MockRMWithAMS
                                                                                     .SetupAndReturnAMRMToken(rmBindAddress, credentials.GetAllTokens());
                currentUser.AddToken(amRMToken);
                rmClient = CreateRMClient(rm, conf, rpc, currentUser);
                RegisterApplicationMasterRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                           <RegisterApplicationMasterRequest>();
                rmClient.RegisterApplicationMaster(request);
                // One allocate call.
                AllocateRequest allocateRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest
                                                                                                 >();
                NUnit.Framework.Assert.IsTrue(rmClient.Allocate(allocateRequest).GetAMCommand() ==
                                              null);
                // Wait for enough time and make sure the roll_over happens
                // At mean time, the old AMRMToken should continue to work
                while (Runtime.CurrentTimeMillis() - startTime < rolling_interval_sec * 1000)
                {
                    rmClient.Allocate(allocateRequest);
                    Sharpen.Thread.Sleep(500);
                }
                MasterKeyData newKey = appTokenSecretManager.GetMasterKey();
                NUnit.Framework.Assert.IsNotNull(newKey);
                NUnit.Framework.Assert.IsFalse("Master key should have changed!", oldKey.Equals(newKey
                                                                                                ));
                // Another allocate call with old AMRMToken. Should continue to work.
                rpc.StopProxy(rmClient, conf);
                // To avoid using cached client
                rmClient = CreateRMClient(rm, conf, rpc, currentUser);
                NUnit.Framework.Assert.IsTrue(rmClient.Allocate(allocateRequest).GetAMCommand() ==
                                              null);
                waitCount = 0;
                while (waitCount++ <= maxWaitAttempts)
                {
                    if (appTokenSecretManager.GetCurrnetMasterKeyData() != oldKey)
                    {
                        break;
                    }
                    try
                    {
                        rmClient.Allocate(allocateRequest);
                    }
                    catch (Exception)
                    {
                        break;
                    }
                    Sharpen.Thread.Sleep(200);
                }
                // active the nextMasterKey, and replace the currentMasterKey
                NUnit.Framework.Assert.IsTrue(appTokenSecretManager.GetCurrnetMasterKeyData().Equals
                                                  (newKey));
                NUnit.Framework.Assert.IsTrue(appTokenSecretManager.GetMasterKey().Equals(newKey)
                                              );
                NUnit.Framework.Assert.IsTrue(appTokenSecretManager.GetNextMasterKeyData() == null
                                              );
                // Create a new Token
                Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> newToken = appTokenSecretManager
                                                                                        .CreateAndGetAMRMToken(applicationAttemptId);
                SecurityUtil.SetTokenService(newToken, rmBindAddress);
                currentUser.AddToken(newToken);
                // Another allocate call. Should continue to work.
                rpc.StopProxy(rmClient, conf);
                // To avoid using cached client
                rmClient        = CreateRMClient(rm, conf, rpc, currentUser);
                allocateRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest>(
                    );
                NUnit.Framework.Assert.IsTrue(rmClient.Allocate(allocateRequest).GetAMCommand() ==
                                              null);
                // Should not work by using the old AMRMToken.
                rpc.StopProxy(rmClient, conf);
                // To avoid using cached client
                try
                {
                    currentUser.AddToken(amRMToken);
                    rmClient        = CreateRMClient(rm, conf, rpc, currentUser);
                    allocateRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <AllocateRequest>(
                        );
                    NUnit.Framework.Assert.IsTrue(rmClient.Allocate(allocateRequest).GetAMCommand() ==
                                                  null);
                    NUnit.Framework.Assert.Fail("The old Token should not work");
                }
                catch (Exception)
                {
                }
            }
            finally
            {
                // expect exception
                rm.Stop();
                if (rmClient != null)
                {
                    rpc.StopProxy(rmClient, conf);
                }
            }
        }
 internal MasterKeyRoller(AMRMTokenSecretManager _enclosing)
 {
     this._enclosing = _enclosing;
 }