// Test the DT mast key in the state-store when the mast key is being rolled.
/// <exception cref="System.Exception"/>
public virtual void TestRMDTMasterKeyStateOnRollingMasterKey()
{
MemoryRMStateStore memStore = new MemoryRMStateStore();
memStore.Init(conf);
RMStateStore.RMState rmState = memStore.GetState();
IDictionary <RMDelegationTokenIdentifier, long> rmDTState = rmState.GetRMDTSecretManagerState
().GetTokenState();
ICollection <DelegationKey> rmDTMasterKeyState = rmState.GetRMDTSecretManagerState
().GetMasterKeyState();
MockRM rm1 = new TestRMDelegationTokens.MyMockRM(this, conf, memStore);
rm1.Start();
// on rm start, two master keys are created.
// One is created at RMDTSecretMgr.startThreads.updateCurrentKey();
// the other is created on the first run of
// tokenRemoverThread.rollMasterKey()
RMDelegationTokenSecretManager dtSecretManager = rm1.GetRMContext().GetRMDelegationTokenSecretManager
();
// assert all master keys are saved
NUnit.Framework.Assert.AreEqual(dtSecretManager.GetAllMasterKeys(), rmDTMasterKeyState
);
ICollection <DelegationKey> expiringKeys = new HashSet <DelegationKey>();
Sharpen.Collections.AddAll(expiringKeys, dtSecretManager.GetAllMasterKeys());
// request to generate a RMDelegationToken
GetDelegationTokenRequest request = Org.Mockito.Mockito.Mock <GetDelegationTokenRequest
>();
Org.Mockito.Mockito.When(request.GetRenewer()).ThenReturn("renewer1");
GetDelegationTokenResponse response = rm1.GetClientRMService().GetDelegationToken
(request);
Org.Apache.Hadoop.Yarn.Api.Records.Token delegationToken = response.GetRMDelegationToken
();
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token1 = ConverterUtils
.ConvertFromYarn(delegationToken, (Text)null);
RMDelegationTokenIdentifier dtId1 = token1.DecodeIdentifier();
// For all keys that still remain in memory, we should have them stored
// in state-store also.
while (((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager
).numUpdatedKeys.Get() < 3)
{
((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager).CheckCurrentKeyInStateStore
(rmDTMasterKeyState);
Sharpen.Thread.Sleep(100);
}
// wait for token to expire and remove from state-store
// rollMasterKey is called every 1 second.
int count = 0;
while (rmDTState.Contains(dtId1) && count < 100)
{
Sharpen.Thread.Sleep(100);
count++;
}
rm1.Stop();
}
public RMStateStoreRMDTEvent(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate
, RMStateStoreEventType type)
: this(type)
{
this.rmDTIdentifier = rmDTIdentifier;
this.renewDate = renewDate;
}
/// <exception cref="System.Exception"/>
protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier, long renewDate)
{
lock (this)
{
StoreOrUpdateRMDelegationTokenState(rmDTIdentifier, renewDate, true);
}
}
public override void RemoveRMDelegationToken(RMDelegationTokenIdentifier rmDTIdentifier
)
{
lock (this)
{
this.NotifyStoreOperationFailed(new Exception("testNotifyStoreOperationFailed"));
}
}
/// <exception cref="System.Exception"/>
protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier)
{
lock (this)
{
throw new Exception("testNotifyStoreOperationFailed");
}
}
/// <exception cref="System.Exception"/>
private void LoadRMDTSecretManagerState(RMStateStore.RMState rmState)
{
CheckAndResumeUpdateOperation(rmDTSecretManagerRoot);
FileStatus[] childNodes = ListStatusWithRetries(rmDTSecretManagerRoot);
foreach (FileStatus childNodeStatus in childNodes)
{
System.Diagnostics.Debug.Assert(childNodeStatus.IsFile());
string childNodeName = childNodeStatus.GetPath().GetName();
if (CheckAndRemovePartialRecordWithRetries(childNodeStatus.GetPath()))
{
continue;
}
if (childNodeName.StartsWith(DelegationTokenSequenceNumberPrefix))
{
rmState.rmSecretManagerState.dtSequenceNumber = System.Convert.ToInt32(childNodeName
.Split("_")[1]);
continue;
}
Path childNodePath = GetNodePath(rmDTSecretManagerRoot, childNodeName);
byte[] childData = ReadFileWithRetries(childNodePath, childNodeStatus.GetLen());
ByteArrayInputStream @is = new ByteArrayInputStream(childData);
using (DataInputStream fsIn = new DataInputStream(@is))
{
if (childNodeName.StartsWith(DelegationKeyPrefix))
{
DelegationKey key = new DelegationKey();
key.ReadFields(fsIn);
rmState.rmSecretManagerState.masterKeyState.AddItem(key);
if (Log.IsDebugEnabled())
{
Log.Debug("Loaded delegation key: keyId=" + key.GetKeyId() + ", expirationDate="
+ key.GetExpiryDate());
}
}
else
{
if (childNodeName.StartsWith(DelegationTokenPrefix))
{
RMDelegationTokenIdentifierData identifierData = new RMDelegationTokenIdentifierData
();
identifierData.ReadFields(fsIn);
RMDelegationTokenIdentifier identifier = identifierData.GetTokenIdentifier();
long renewDate = identifierData.GetRenewDate();
rmState.rmSecretManagerState.delegationTokenState[identifier] = renewDate;
if (Log.IsDebugEnabled())
{
Log.Debug("Loaded RMDelegationTokenIdentifier: " + identifier + " renewDate=" + renewDate
);
}
}
else
{
Log.Warn("Unknown file for recovering RMDelegationTokenSecretManager");
}
}
}
}
}
/// <exception cref="System.IO.IOException"/>
public virtual RMDelegationTokenIdentifier GetTokenIdentifier()
{
ByteArrayInputStream @in = new ByteArrayInputStream(builder.GetTokenIdentifier().
ToByteArray());
RMDelegationTokenIdentifier identifer = new RMDelegationTokenIdentifier();
identifer.ReadFields(new DataInputStream(@in));
return(identifer);
}
/// <exception cref="System.Exception"/>
protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier, long renewDate)
{
lock (this)
{
RemoveRMDelegationTokenState(rmDTIdentifier);
StoreOrUpdateRMDT(rmDTIdentifier, renewDate, true);
Log.Info("Update RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber()
);
}
}
/// <exception cref="System.Exception"/>
protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier
identifier)
{
lock (this)
{
Path nodeCreatePath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenPrefix +
identifier.GetSequenceNumber());
Log.Info("Removing RMDelegationToken_" + identifier.GetSequenceNumber());
DeleteFileWithRetries(nodeCreatePath);
}
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void CheckShortCircuitRenewCancel(IPEndPoint rmAddr, IPEndPoint serviceAddr
, bool shouldShortCircuit)
{
Configuration conf = new Configuration();
conf.SetClass(YarnConfiguration.IpcRpcImpl, typeof(TestClientRMTokens.YarnBadRPC)
, typeof(YarnRPC));
RMDelegationTokenSecretManager secretManager = Org.Mockito.Mockito.Mock <RMDelegationTokenSecretManager
>();
RMDelegationTokenIdentifier.Renewer.SetSecretManager(secretManager, rmAddr);
RMDelegationTokenIdentifier ident = new RMDelegationTokenIdentifier(new Text("owner"
), new Text("renewer"), null);
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<RMDelegationTokenIdentifier>(ident, secretManager);
SecurityUtil.SetTokenService(token, serviceAddr);
if (shouldShortCircuit)
{
token.Renew(conf);
Org.Mockito.Mockito.Verify(secretManager).RenewToken(Matchers.Eq(token), Matchers.Eq
("renewer"));
Org.Mockito.Mockito.Reset(secretManager);
token.Cancel(conf);
Org.Mockito.Mockito.Verify(secretManager).CancelToken(Matchers.Eq(token), Matchers.Eq
("renewer"));
}
else
{
try
{
token.Renew(conf);
NUnit.Framework.Assert.Fail();
}
catch (RuntimeException e)
{
NUnit.Framework.Assert.AreEqual("getProxy", e.Message);
}
Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).RenewToken
(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString());
try
{
token.Cancel(conf);
NUnit.Framework.Assert.Fail();
}
catch (RuntimeException e)
{
NUnit.Framework.Assert.AreEqual("getProxy", e.Message);
}
Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).CancelToken
(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString());
}
}
/// <exception cref="System.Exception"/>
protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier)
{
lock (this)
{
IDictionary <RMDelegationTokenIdentifier, long> rmDTState = state.rmSecretManagerState
.GetTokenState();
Sharpen.Collections.Remove(rmDTState, rmDTIdentifier);
Log.Info("Remove RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber()
);
}
}
/// <exception cref="System.IO.IOException"/>
protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier
tokenId)
{
string tokenKey = GetRMDTTokenNodeKey(tokenId);
if (Log.IsDebugEnabled())
{
Log.Debug("Removing token at " + tokenKey);
}
try
{
db.Delete(JniDBFactory.Bytes(tokenKey));
}
catch (DBException e)
{
throw new IOException(e);
}
}
/// <exception cref="System.IO.IOException"/>
private void StoreOrUpdateRMDT(RMDelegationTokenIdentifier tokenId, long renewDate
, bool isUpdate)
{
string tokenKey = GetRMDTTokenNodeKey(tokenId);
RMDelegationTokenIdentifierData tokenData = new RMDelegationTokenIdentifierData(tokenId
, renewDate);
if (Log.IsDebugEnabled())
{
Log.Debug("Storing token to " + tokenKey);
}
try
{
WriteBatch batch = db.CreateWriteBatch();
try
{
batch.Put(JniDBFactory.Bytes(tokenKey), tokenData.ToByteArray());
if (!isUpdate)
{
ByteArrayOutputStream bs = new ByteArrayOutputStream();
using (DataOutputStream ds = new DataOutputStream(bs))
{
ds.WriteInt(tokenId.GetSequenceNumber());
}
if (Log.IsDebugEnabled())
{
Log.Debug("Storing " + tokenId.GetSequenceNumber() + " to " + RmDtSequenceNumberKey
);
}
batch.Put(JniDBFactory.Bytes(RmDtSequenceNumberKey), bs.ToByteArray());
}
db.Write(batch);
}
finally
{
batch.Close();
}
}
catch (DBException e)
{
throw new IOException(e);
}
}
/// <exception cref="System.IO.IOException"/>
private int LoadRMDTSecretManagerTokens(RMStateStore.RMState state)
{
int numTokens = 0;
LeveldbIterator iter = null;
try
{
iter = new LeveldbIterator(db);
iter.Seek(JniDBFactory.Bytes(RmDtTokenKeyPrefix));
while (iter.HasNext())
{
KeyValuePair <byte[], byte[]> entry = iter.Next();
string key = JniDBFactory.AsString(entry.Key);
if (!key.StartsWith(RmDtTokenKeyPrefix))
{
break;
}
RMDelegationTokenIdentifierData tokenData = LoadDelegationToken(entry.Value);
RMDelegationTokenIdentifier tokenId = tokenData.GetTokenIdentifier();
long renewDate = tokenData.GetRenewDate();
state.rmSecretManagerState.delegationTokenState[tokenId] = renewDate;
++numTokens;
if (Log.IsDebugEnabled())
{
Log.Debug("Loaded RM delegation token from " + key + ": tokenId=" + tokenId + ", renewDate="
+ renewDate);
}
}
}
catch (DBException e)
{
throw new IOException(e);
}
finally
{
if (iter != null)
{
iter.Close();
}
}
return(numTokens);
}
/// <exception cref="System.Exception"/>
private void StoreOrUpdateRMDT(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate
, bool isUpdate)
{
IDictionary <RMDelegationTokenIdentifier, long> rmDTState = state.rmSecretManagerState
.GetTokenState();
if (rmDTState.Contains(rmDTIdentifier))
{
IOException e = new IOException("RMDelegationToken: " + rmDTIdentifier + "is already stored."
);
Log.Info("Error storing info for RMDelegationToken: " + rmDTIdentifier, e);
throw e;
}
rmDTState[rmDTIdentifier] = renewDate;
if (!isUpdate)
{
state.rmSecretManagerState.dtSequenceNumber = rmDTIdentifier.GetSequenceNumber();
}
Log.Info("Store RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber());
}
public RMDelegationTokenIdentifierForTest(RMDelegationTokenIdentifier token, string
message)
{
if (token.GetOwner() != null)
{
SetOwner(new Text(token.GetOwner()));
}
if (token.GetRenewer() != null)
{
SetRenewer(new Text(token.GetRenewer()));
}
if (token.GetRealUser() != null)
{
SetRealUser(new Text(token.GetRealUser()));
}
SetIssueDate(token.GetIssueDate());
SetMaxDate(token.GetMaxDate());
SetSequenceNumber(token.GetSequenceNumber());
SetMasterKeyId(token.GetMasterKeyId());
builder.SetMessage(message);
}
/// <exception cref="System.Exception"/>
private void StoreOrUpdateRMDelegationTokenState(RMDelegationTokenIdentifier identifier
, long renewDate, bool isUpdate)
{
Path nodeCreatePath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenPrefix +
identifier.GetSequenceNumber());
RMDelegationTokenIdentifierData identifierData = new RMDelegationTokenIdentifierData
(identifier, renewDate);
if (isUpdate)
{
Log.Info("Updating RMDelegationToken_" + identifier.GetSequenceNumber());
UpdateFile(nodeCreatePath, identifierData.ToByteArray(), true);
}
else
{
Log.Info("Storing RMDelegationToken_" + identifier.GetSequenceNumber());
WriteFileWithRetries(nodeCreatePath, identifierData.ToByteArray(), true);
// store sequence number
Path latestSequenceNumberPath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenSequenceNumberPrefix
+ identifier.GetSequenceNumber());
Log.Info("Storing " + DelegationTokenSequenceNumberPrefix + identifier.GetSequenceNumber
());
if (dtSequenceNumberPath == null)
{
if (!CreateFileWithRetries(latestSequenceNumberPath))
{
throw new Exception("Failed to create " + latestSequenceNumberPath);
}
}
else
{
if (!RenameFileWithRetries(dtSequenceNumberPath, latestSequenceNumberPath))
{
throw new Exception("Failed to rename " + dtSequenceNumberPath);
}
}
dtSequenceNumberPath = latestSequenceNumberPath;
}
}
public virtual void TestNotifyStoreOperationFailed()
{
RMStateStore store = new _MemoryRMStateStore_34();
Configuration conf = new Configuration();
conf.SetBoolean(YarnConfiguration.RmHaEnabled, true);
store.Init(conf);
ResourceManager mockRM = Org.Mockito.Mockito.Mock <ResourceManager>();
store.SetResourceManager(mockRM);
RMDelegationTokenIdentifier mockTokenId = Org.Mockito.Mockito.Mock <RMDelegationTokenIdentifier
>();
store.RemoveRMDelegationToken(mockTokenId);
NUnit.Framework.Assert.IsTrue("RMStateStore should have been in fenced state", store
.IsFencedState());
store = new _MemoryRMStateStore_51();
store.Init(conf);
store.SetResourceManager(mockRM);
store.RemoveRMDelegationToken(mockTokenId);
NUnit.Framework.Assert.IsTrue("RMStateStore should have been in fenced state", store
.IsFencedState());
}
public virtual void TestFencedState()
{
TestZKRMStateStore.TestZKRMStateStoreTester zkTester = new TestZKRMStateStore.TestZKRMStateStoreTester
(this);
RMStateStore store = zkTester.GetRMStateStore();
// Move state to FENCED from ACTIVE
store.UpdateFencedState();
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
long submitTime = Runtime.CurrentTimeMillis();
long startTime = submitTime + 1000;
// Add a new app
RMApp mockApp = Org.Mockito.Mockito.Mock <RMApp>();
ApplicationSubmissionContext context = new ApplicationSubmissionContextPBImpl();
Org.Mockito.Mockito.When(mockApp.GetSubmitTime()).ThenReturn(submitTime);
Org.Mockito.Mockito.When(mockApp.GetStartTime()).ThenReturn(startTime);
Org.Mockito.Mockito.When(mockApp.GetApplicationSubmissionContext()).ThenReturn(context
);
Org.Mockito.Mockito.When(mockApp.GetUser()).ThenReturn("test");
store.StoreNewApplication(mockApp);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// Add a new attempt
ClientToAMTokenSecretManagerInRM clientToAMTokenMgr = new ClientToAMTokenSecretManagerInRM
();
ApplicationAttemptId attemptId = ConverterUtils.ToApplicationAttemptId("appattempt_1234567894321_0001_000001"
);
SecretKey clientTokenMasterKey = clientToAMTokenMgr.CreateMasterKey(attemptId);
RMAppAttemptMetrics mockRmAppAttemptMetrics = Org.Mockito.Mockito.Mock <RMAppAttemptMetrics
>();
Container container = new ContainerPBImpl();
container.SetId(ConverterUtils.ToContainerId("container_1234567891234_0001_01_000001"
));
RMAppAttempt mockAttempt = Org.Mockito.Mockito.Mock <RMAppAttempt>();
Org.Mockito.Mockito.When(mockAttempt.GetAppAttemptId()).ThenReturn(attemptId);
Org.Mockito.Mockito.When(mockAttempt.GetMasterContainer()).ThenReturn(container);
Org.Mockito.Mockito.When(mockAttempt.GetClientTokenMasterKey()).ThenReturn(clientTokenMasterKey
);
Org.Mockito.Mockito.When(mockAttempt.GetRMAppAttemptMetrics()).ThenReturn(mockRmAppAttemptMetrics
);
Org.Mockito.Mockito.When(mockRmAppAttemptMetrics.GetAggregateAppResourceUsage()).
ThenReturn(new AggregateAppResourceUsage(0, 0));
store.StoreNewApplicationAttempt(mockAttempt);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
long finishTime = submitTime + 1000;
// Update attempt
ApplicationAttemptStateData newAttemptState = ApplicationAttemptStateData.NewInstance
(attemptId, container, store.GetCredentialsFromAppAttempt(mockAttempt), startTime
, RMAppAttemptState.Finished, "testUrl", "test", FinalApplicationStatus.Succeeded
, 100, finishTime, 0, 0);
store.UpdateApplicationAttemptState(newAttemptState);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// Update app
ApplicationStateData appState = ApplicationStateData.NewInstance(submitTime, startTime
, context, "test");
store.UpdateApplicationState(appState);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// Remove app
store.RemoveApplication(mockApp);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// store RM delegation token;
RMDelegationTokenIdentifier dtId1 = new RMDelegationTokenIdentifier(new Text("owner1"
), new Text("renewer1"), new Text("realuser1"));
long renewDate1 = Runtime.CurrentTimeMillis();
dtId1.SetSequenceNumber(1111);
store.StoreRMDelegationToken(dtId1, renewDate1);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
store.UpdateRMDelegationToken(dtId1, renewDate1);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// remove delegation key;
store.RemoveRMDelegationToken(dtId1);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// store delegation master key;
DelegationKey key = new DelegationKey(1234, 4321, Sharpen.Runtime.GetBytesForString
("keyBytes"));
store.StoreRMDTMasterKey(key);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// remove delegation master key;
store.RemoveRMDTMasterKey(key);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
// store or update AMRMToken;
store.StoreOrUpdateAMRMTokenSecretManager(null, false);
NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state",
true, store.IsFencedState());
store.Close();
}
/// <exception cref="System.IO.IOException"/>
protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier
tokenId, long renewDate)
{
StoreOrUpdateRMDT(tokenId, renewDate, true);
}
private string GetRMDTTokenNodeKey(RMDelegationTokenIdentifier tokenId)
{
return(RmDtTokenKeyPrefix + tokenId.GetSequenceNumber());
}
/// <exception cref="System.Exception"/>
public virtual void TestRMDTSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper
stateStoreHelper)
{
RMStateStore store = stateStoreHelper.GetRMStateStore();
RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher
();
store.SetRMDispatcher(dispatcher);
// store RM delegation token;
RMDelegationTokenIdentifier dtId1 = new RMDelegationTokenIdentifier(new Text("owner1"
), new Text("renewer1"), new Text("realuser1"));
int sequenceNumber = 1111;
dtId1.SetSequenceNumber(sequenceNumber);
byte[] tokenBeforeStore = dtId1.GetBytes();
long renewDate1 = Runtime.CurrentTimeMillis();
store.StoreRMDelegationToken(dtId1, renewDate1);
ModifyRMDelegationTokenState();
IDictionary <RMDelegationTokenIdentifier, long> token1 = new Dictionary <RMDelegationTokenIdentifier
, long>();
token1[dtId1] = renewDate1;
// store delegation key;
DelegationKey key = new DelegationKey(1234, 4321, Sharpen.Runtime.GetBytesForString
("keyBytes"));
HashSet <DelegationKey> keySet = new HashSet <DelegationKey>();
keySet.AddItem(key);
store.StoreRMDTMasterKey(key);
RMStateStore.RMDTSecretManagerState secretManagerState = store.LoadState().GetRMDTSecretManagerState
();
NUnit.Framework.Assert.AreEqual(token1, secretManagerState.GetTokenState());
NUnit.Framework.Assert.AreEqual(keySet, secretManagerState.GetMasterKeyState());
NUnit.Framework.Assert.AreEqual(sequenceNumber, secretManagerState.GetDTSequenceNumber
());
RMDelegationTokenIdentifier tokenAfterStore = secretManagerState.GetTokenState().
Keys.GetEnumerator().Next();
NUnit.Framework.Assert.IsTrue(Arrays.Equals(tokenBeforeStore, tokenAfterStore.GetBytes
()));
// update RM delegation token;
renewDate1 = Runtime.CurrentTimeMillis();
store.UpdateRMDelegationToken(dtId1, renewDate1);
token1[dtId1] = renewDate1;
RMStateStore.RMDTSecretManagerState updateSecretManagerState = store.LoadState().
GetRMDTSecretManagerState();
NUnit.Framework.Assert.AreEqual(token1, updateSecretManagerState.GetTokenState());
NUnit.Framework.Assert.AreEqual(keySet, updateSecretManagerState.GetMasterKeyState
());
NUnit.Framework.Assert.AreEqual(sequenceNumber, updateSecretManagerState.GetDTSequenceNumber
());
// check to delete delegationKey
store.RemoveRMDTMasterKey(key);
keySet.Clear();
RMStateStore.RMDTSecretManagerState noKeySecretManagerState = store.LoadState().GetRMDTSecretManagerState
();
NUnit.Framework.Assert.AreEqual(token1, noKeySecretManagerState.GetTokenState());
NUnit.Framework.Assert.AreEqual(keySet, noKeySecretManagerState.GetMasterKeyState
());
NUnit.Framework.Assert.AreEqual(sequenceNumber, noKeySecretManagerState.GetDTSequenceNumber
());
// check to delete delegationToken
store.RemoveRMDelegationToken(dtId1);
RMStateStore.RMDTSecretManagerState noKeyAndTokenSecretManagerState = store.LoadState
().GetRMDTSecretManagerState();
token1.Clear();
NUnit.Framework.Assert.AreEqual(token1, noKeyAndTokenSecretManagerState.GetTokenState
());
NUnit.Framework.Assert.AreEqual(keySet, noKeyAndTokenSecretManagerState.GetMasterKeyState
());
NUnit.Framework.Assert.AreEqual(sequenceNumber, noKeySecretManagerState.GetDTSequenceNumber
());
store.Close();
}
/// <exception cref="System.Exception"/>
public virtual void TestGetHSDelegationToken()
{
try
{
Configuration conf = new Configuration();
// Setup mock service
IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444);
Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress);
IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200);
Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress);
// Setup mock rm token
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new
Text("owner"), new Text("renewer"), new Text("real"));
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind(
), rmTokenSevice);
token.SetKind(RMDelegationTokenIdentifier.KindName);
// Setup mock history token
Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte
[0], hsTokenSevice.ToString());
GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<GetDelegationTokenResponse>();
getDtResponse.SetDelegationToken(historyToken);
// mock services
MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>();
Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress();
Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken(
Matchers.Any <GetDelegationTokenRequest>());
ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>();
Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService
();
ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>();
Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy
();
Credentials creds = new Credentials();
YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache);
// No HS token if no RM token
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No HS token if RM token, but secirity disabled.
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
creds = new Credentials();
// No HS token if no RM token, security enabled
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// HS token if RM token present, security enabled
creds.AddToken(new Text("rmdt"), token);
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
// No additional call to get HS token if RM and HS token present
yarnRunner.AddHistoryToken(creds);
Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken
(Matchers.Any <GetDelegationTokenRequest>());
}
finally
{
// Back to defaults.
UserGroupInformation.SetConfiguration(new Configuration());
}
}
public virtual void TestRMDelegationTokenIdentifier()
{
Text owner = new Text("user1");
Text renewer = new Text("user2");
Text realUser = new Text("user3");
long issueDate = 1;
long maxDate = 2;
int sequenceNumber = 3;
int masterKeyId = 4;
RMDelegationTokenIdentifier token = new RMDelegationTokenIdentifier(owner, renewer
, realUser);
token.SetIssueDate(issueDate);
token.SetMaxDate(maxDate);
token.SetSequenceNumber(sequenceNumber);
token.SetMasterKeyId(masterKeyId);
RMDelegationTokenIdentifier anotherToken = new RMDelegationTokenIdentifier();
byte[] tokenContent = token.GetBytes();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenContent, tokenContent.Length);
anotherToken.ReadFields(dib);
dib.Close();
// verify the whole record equals with original record
NUnit.Framework.Assert.AreEqual("Token is not the same after serialization " + "and deserialization."
, token, anotherToken);
NUnit.Framework.Assert.AreEqual("owner from proto is not the same with original token"
, anotherToken.GetOwner(), owner);
NUnit.Framework.Assert.AreEqual("renewer from proto is not the same with original token"
, anotherToken.GetRenewer(), renewer);
NUnit.Framework.Assert.AreEqual("realUser from proto is not the same with original token"
, anotherToken.GetRealUser(), realUser);
NUnit.Framework.Assert.AreEqual("issueDate from proto is not the same with original token"
, anotherToken.GetIssueDate(), issueDate);
NUnit.Framework.Assert.AreEqual("maxDate from proto is not the same with original token"
, anotherToken.GetMaxDate(), maxDate);
NUnit.Framework.Assert.AreEqual("sequenceNumber from proto is not the same with original token"
, anotherToken.GetSequenceNumber(), sequenceNumber);
NUnit.Framework.Assert.AreEqual("masterKeyId from proto is not the same with original token"
, anotherToken.GetMasterKeyId(), masterKeyId);
// Test getProto
RMDelegationTokenIdentifier token1 = new RMDelegationTokenIdentifier(owner, renewer
, realUser);
token1.SetIssueDate(issueDate);
token1.SetMaxDate(maxDate);
token1.SetSequenceNumber(sequenceNumber);
token1.SetMasterKeyId(masterKeyId);
YarnSecurityTokenProtos.YARNDelegationTokenIdentifierProto tokenProto = token1.GetProto
();
// Write token proto to stream
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream @out = new DataOutputStream(baos);
tokenProto.WriteTo(@out);
// Read token
byte[] tokenData = baos.ToByteArray();
RMDelegationTokenIdentifier readToken = new RMDelegationTokenIdentifier();
DataInputBuffer db = new DataInputBuffer();
db.Reset(tokenData, tokenData.Length);
readToken.ReadFields(db);
// Verify if read token equals with original token
NUnit.Framework.Assert.AreEqual("Token from getProto is not the same after " + "serialization and deserialization."
, token1, readToken);
db.Close();
@out.Close();
}
// Do nothing
/// <exception cref="System.Exception"/>
protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier, long renewDate)
{
}
// Do nothing
/// <exception cref="System.Exception"/>
protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier
rmDTIdentifier)
{
}
public virtual void TestDelegationToken()
{
YarnConfiguration conf = new YarnConfiguration();
conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ResourceScheduler scheduler = CreateMockScheduler(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager
(initialInterval, maxLifetime, renewInterval);
rmDtSecretManager.StartThreads();
Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval
+ ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval);
ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this
, conf, scheduler, rmDtSecretManager);
clientRMService.Init(conf);
clientRMService.Start();
ApplicationClientProtocol clientRMWithDT = null;
try
{
// Create a user for the renewr and fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
long tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser1", conf);
GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <
GetNewApplicationRequest>();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType
().FullName);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, clientRMService, token);
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
// Creating a new connection.
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
catch (YarnException)
{
}
// Test new version token
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array());
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
tokenIdentifier.ReadFields(dib);
// Construct new version RMDelegationTokenIdentifier with additional field
RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest
(tokenIdentifier, "message");
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken =
new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier
, rmDtSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken
(newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword
(), newRMDTtoken.GetService().ToString());
// Now try talking to RMService using the new version delegation token
clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress
(), "loginuser3", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
}
finally
{
rmDtSecretManager.StopThreads();
// TODO PRECOMMIT Close proxies.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
}
}
}
