// Test the DT mast key in the state-store when the mast key is being rolled.
/// <exception cref="System.Exception"/>
public virtual void TestRMDTMasterKeyStateOnRollingMasterKey()
{
MemoryRMStateStore memStore = new MemoryRMStateStore();
memStore.Init(conf);
RMStateStore.RMState rmState = memStore.GetState();
IDictionary <RMDelegationTokenIdentifier, long> rmDTState = rmState.GetRMDTSecretManagerState
().GetTokenState();
ICollection <DelegationKey> rmDTMasterKeyState = rmState.GetRMDTSecretManagerState
().GetMasterKeyState();
MockRM rm1 = new TestRMDelegationTokens.MyMockRM(this, conf, memStore);
rm1.Start();
// on rm start, two master keys are created.
// One is created at RMDTSecretMgr.startThreads.updateCurrentKey();
// the other is created on the first run of
// tokenRemoverThread.rollMasterKey()
RMDelegationTokenSecretManager dtSecretManager = rm1.GetRMContext().GetRMDelegationTokenSecretManager
();
// assert all master keys are saved
NUnit.Framework.Assert.AreEqual(dtSecretManager.GetAllMasterKeys(), rmDTMasterKeyState
);
ICollection <DelegationKey> expiringKeys = new HashSet <DelegationKey>();
Sharpen.Collections.AddAll(expiringKeys, dtSecretManager.GetAllMasterKeys());
// request to generate a RMDelegationToken
GetDelegationTokenRequest request = Org.Mockito.Mockito.Mock <GetDelegationTokenRequest
>();
Org.Mockito.Mockito.When(request.GetRenewer()).ThenReturn("renewer1");
GetDelegationTokenResponse response = rm1.GetClientRMService().GetDelegationToken
(request);
Org.Apache.Hadoop.Yarn.Api.Records.Token delegationToken = response.GetRMDelegationToken
();
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token1 = ConverterUtils
.ConvertFromYarn(delegationToken, (Text)null);
RMDelegationTokenIdentifier dtId1 = token1.DecodeIdentifier();
// For all keys that still remain in memory, we should have them stored
// in state-store also.
while (((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager
).numUpdatedKeys.Get() < 3)
{
((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager).CheckCurrentKeyInStateStore
(rmDTMasterKeyState);
Sharpen.Thread.Sleep(100);
}
// wait for token to expire and remove from state-store
// rollMasterKey is called every 1 second.
int count = 0;
while (rmDTState.Contains(dtId1) && count < 100)
{
Sharpen.Thread.Sleep(100);
count++;
}
rm1.Stop();
}
/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public override GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
this._enclosing.ResetStartFailoverFlag(true);
// make sure failover has been triggered
NUnit.Framework.Assert.IsTrue(this._enclosing.WaittingForFailOver());
return(GetDelegationTokenResponse.NewInstance(this._enclosing.CreateFakeToken()));
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public override Org.Apache.Hadoop.Yarn.Api.Records.Token GetRMDelegationToken(Text
renewer)
{
/* get the token from RM */
GetDelegationTokenRequest rmDTRequest = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetDelegationTokenRequest>();
rmDTRequest.SetRenewer(renewer.ToString());
GetDelegationTokenResponse response = rmClient.GetDelegationToken(rmDTRequest);
return(response.GetRMDelegationToken());
}
/// <exception cref="Com.Google.Protobuf.ServiceException"/>
public virtual SecurityProtos.GetDelegationTokenResponseProto GetDelegationToken(
RpcController controller, SecurityProtos.GetDelegationTokenRequestProto proto)
{
GetDelegationTokenRequest request = new GetDelegationTokenRequestPBImpl(proto);
try
{
GetDelegationTokenResponse response = real.GetDelegationToken(request);
return(((GetDelegationTokenResponsePBImpl)response).GetProto());
}
catch (IOException e)
{
throw new ServiceException(e);
}
}
public virtual void TestClusterGetDelegationToken()
{
Configuration conf = new Configuration(false);
Cluster cluster = null;
try
{
conf = new Configuration();
conf.Set(MRConfig.FrameworkName, MRConfig.YarnFrameworkName);
cluster = new Cluster(conf);
YARNRunner yrunner = (YARNRunner)cluster.GetClient();
GetDelegationTokenResponse getDTResponse = recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
Token rmDTToken = recordFactory.NewRecordInstance <Token>();
rmDTToken.SetIdentifier(ByteBuffer.Wrap(new byte[2]));
rmDTToken.SetKind("Testclusterkind");
rmDTToken.SetPassword(ByteBuffer.Wrap(Sharpen.Runtime.GetBytesForString("testcluster"
)));
rmDTToken.SetService("0.0.0.0:8032");
getDTResponse.SetRMDelegationToken(rmDTToken);
ApplicationClientProtocol cRMProtocol = Org.Mockito.Mockito.Mock <ApplicationClientProtocol
>();
Org.Mockito.Mockito.When(cRMProtocol.GetDelegationToken(Matchers.Any <GetDelegationTokenRequest
>())).ThenReturn(getDTResponse);
ResourceMgrDelegate rmgrDelegate = new _ResourceMgrDelegate_112(cRMProtocol, new
YarnConfiguration(conf));
yrunner.SetResourceMgrDelegate(rmgrDelegate);
Org.Apache.Hadoop.Security.Token.Token t = cluster.GetDelegationToken(new Text(" "
));
NUnit.Framework.Assert.IsTrue("Token kind is instead " + t.GetKind().ToString(),
"Testclusterkind".Equals(t.GetKind().ToString()));
}
finally
{
if (cluster != null)
{
cluster.Close();
}
}
}
/// <exception cref="System.Exception"/>
public virtual void TestGetHSDelegationToken()
{
try
{
Configuration conf = new Configuration();
// Setup mock service
IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444);
Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress);
IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200);
Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress);
// Setup mock rm token
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new
Text("owner"), new Text("renewer"), new Text("real"));
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind(
), rmTokenSevice);
token.SetKind(RMDelegationTokenIdentifier.KindName);
// Setup mock history token
Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte
[0], hsTokenSevice.ToString());
GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetDelegationTokenResponse>();
getDtResponse.SetDelegationToken(historyToken);
// mock services
MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>();
Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress();
Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken(
Matchers.Any <GetDelegationTokenRequest>());
ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>();
Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService
();
ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>();
Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy
();
Credentials creds = new Credentials();
YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache);
// No HS token if no RM token
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No HS token if RM token, but secirity disabled.
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
creds = new Credentials();
// No HS token if no RM token, security enabled
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// HS token if RM token present, security enabled
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No additional call to get HS token if RM and HS token present
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
}
finally
{
// Back to defaults.
UserGroupInformation.SetConfiguration(new Configuration());
}
}
