// Test the DT mast key in the state-store when the mast key is being rolled. /// <exception cref="System.Exception"/> public virtual void TestRMDTMasterKeyStateOnRollingMasterKey() { MemoryRMStateStore memStore = new MemoryRMStateStore(); memStore.Init(conf); RMStateStore.RMState rmState = memStore.GetState(); IDictionary <RMDelegationTokenIdentifier, long> rmDTState = rmState.GetRMDTSecretManagerState ().GetTokenState(); ICollection <DelegationKey> rmDTMasterKeyState = rmState.GetRMDTSecretManagerState ().GetMasterKeyState(); MockRM rm1 = new TestRMDelegationTokens.MyMockRM(this, conf, memStore); rm1.Start(); // on rm start, two master keys are created. // One is created at RMDTSecretMgr.startThreads.updateCurrentKey(); // the other is created on the first run of // tokenRemoverThread.rollMasterKey() RMDelegationTokenSecretManager dtSecretManager = rm1.GetRMContext().GetRMDelegationTokenSecretManager (); // assert all master keys are saved NUnit.Framework.Assert.AreEqual(dtSecretManager.GetAllMasterKeys(), rmDTMasterKeyState ); ICollection <DelegationKey> expiringKeys = new HashSet <DelegationKey>(); Sharpen.Collections.AddAll(expiringKeys, dtSecretManager.GetAllMasterKeys()); // request to generate a RMDelegationToken GetDelegationTokenRequest request = Org.Mockito.Mockito.Mock <GetDelegationTokenRequest >(); Org.Mockito.Mockito.When(request.GetRenewer()).ThenReturn("renewer1"); GetDelegationTokenResponse response = rm1.GetClientRMService().GetDelegationToken (request); Org.Apache.Hadoop.Yarn.Api.Records.Token delegationToken = response.GetRMDelegationToken (); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token1 = ConverterUtils .ConvertFromYarn(delegationToken, (Text)null); RMDelegationTokenIdentifier dtId1 = token1.DecodeIdentifier(); // For all keys that still remain in memory, we should have them stored // in state-store also. while (((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager ).numUpdatedKeys.Get() < 3) { ((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager).CheckCurrentKeyInStateStore (rmDTMasterKeyState); Sharpen.Thread.Sleep(100); } // wait for token to expire and remove from state-store // rollMasterKey is called every 1 second. int count = 0; while (rmDTState.Contains(dtId1) && count < 100) { Sharpen.Thread.Sleep(100); count++; } rm1.Stop(); }
public RMStateStoreRMDTEvent(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate , RMStateStoreEventType type) : this(type) { this.rmDTIdentifier = rmDTIdentifier; this.renewDate = renewDate; }
/// <exception cref="System.Exception"/> protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate) { lock (this) { StoreOrUpdateRMDelegationTokenState(rmDTIdentifier, renewDate, true); } }
public override void RemoveRMDelegationToken(RMDelegationTokenIdentifier rmDTIdentifier ) { lock (this) { this.NotifyStoreOperationFailed(new Exception("testNotifyStoreOperationFailed")); } }
/// <exception cref="System.Exception"/> protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier) { lock (this) { throw new Exception("testNotifyStoreOperationFailed"); } }
/// <exception cref="System.Exception"/> private void LoadRMDTSecretManagerState(RMStateStore.RMState rmState) { CheckAndResumeUpdateOperation(rmDTSecretManagerRoot); FileStatus[] childNodes = ListStatusWithRetries(rmDTSecretManagerRoot); foreach (FileStatus childNodeStatus in childNodes) { System.Diagnostics.Debug.Assert(childNodeStatus.IsFile()); string childNodeName = childNodeStatus.GetPath().GetName(); if (CheckAndRemovePartialRecordWithRetries(childNodeStatus.GetPath())) { continue; } if (childNodeName.StartsWith(DelegationTokenSequenceNumberPrefix)) { rmState.rmSecretManagerState.dtSequenceNumber = System.Convert.ToInt32(childNodeName .Split("_")[1]); continue; } Path childNodePath = GetNodePath(rmDTSecretManagerRoot, childNodeName); byte[] childData = ReadFileWithRetries(childNodePath, childNodeStatus.GetLen()); ByteArrayInputStream @is = new ByteArrayInputStream(childData); using (DataInputStream fsIn = new DataInputStream(@is)) { if (childNodeName.StartsWith(DelegationKeyPrefix)) { DelegationKey key = new DelegationKey(); key.ReadFields(fsIn); rmState.rmSecretManagerState.masterKeyState.AddItem(key); if (Log.IsDebugEnabled()) { Log.Debug("Loaded delegation key: keyId=" + key.GetKeyId() + ", expirationDate=" + key.GetExpiryDate()); } } else { if (childNodeName.StartsWith(DelegationTokenPrefix)) { RMDelegationTokenIdentifierData identifierData = new RMDelegationTokenIdentifierData (); identifierData.ReadFields(fsIn); RMDelegationTokenIdentifier identifier = identifierData.GetTokenIdentifier(); long renewDate = identifierData.GetRenewDate(); rmState.rmSecretManagerState.delegationTokenState[identifier] = renewDate; if (Log.IsDebugEnabled()) { Log.Debug("Loaded RMDelegationTokenIdentifier: " + identifier + " renewDate=" + renewDate ); } } else { Log.Warn("Unknown file for recovering RMDelegationTokenSecretManager"); } } } } }
/// <exception cref="System.IO.IOException"/> public virtual RMDelegationTokenIdentifier GetTokenIdentifier() { ByteArrayInputStream @in = new ByteArrayInputStream(builder.GetTokenIdentifier(). ToByteArray()); RMDelegationTokenIdentifier identifer = new RMDelegationTokenIdentifier(); identifer.ReadFields(new DataInputStream(@in)); return(identifer); }
/// <exception cref="System.Exception"/> protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate) { lock (this) { RemoveRMDelegationTokenState(rmDTIdentifier); StoreOrUpdateRMDT(rmDTIdentifier, renewDate, true); Log.Info("Update RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber() ); } }
/// <exception cref="System.Exception"/> protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier identifier) { lock (this) { Path nodeCreatePath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenPrefix + identifier.GetSequenceNumber()); Log.Info("Removing RMDelegationToken_" + identifier.GetSequenceNumber()); DeleteFileWithRetries(nodeCreatePath); } }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private void CheckShortCircuitRenewCancel(IPEndPoint rmAddr, IPEndPoint serviceAddr , bool shouldShortCircuit) { Configuration conf = new Configuration(); conf.SetClass(YarnConfiguration.IpcRpcImpl, typeof(TestClientRMTokens.YarnBadRPC) , typeof(YarnRPC)); RMDelegationTokenSecretManager secretManager = Org.Mockito.Mockito.Mock <RMDelegationTokenSecretManager >(); RMDelegationTokenIdentifier.Renewer.SetSecretManager(secretManager, rmAddr); RMDelegationTokenIdentifier ident = new RMDelegationTokenIdentifier(new Text("owner" ), new Text("renewer"), null); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(ident, secretManager); SecurityUtil.SetTokenService(token, serviceAddr); if (shouldShortCircuit) { token.Renew(conf); Org.Mockito.Mockito.Verify(secretManager).RenewToken(Matchers.Eq(token), Matchers.Eq ("renewer")); Org.Mockito.Mockito.Reset(secretManager); token.Cancel(conf); Org.Mockito.Mockito.Verify(secretManager).CancelToken(Matchers.Eq(token), Matchers.Eq ("renewer")); } else { try { token.Renew(conf); NUnit.Framework.Assert.Fail(); } catch (RuntimeException e) { NUnit.Framework.Assert.AreEqual("getProxy", e.Message); } Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).RenewToken (Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString()); try { token.Cancel(conf); NUnit.Framework.Assert.Fail(); } catch (RuntimeException e) { NUnit.Framework.Assert.AreEqual("getProxy", e.Message); } Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).CancelToken (Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString()); } }
/// <exception cref="System.Exception"/> protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier) { lock (this) { IDictionary <RMDelegationTokenIdentifier, long> rmDTState = state.rmSecretManagerState .GetTokenState(); Sharpen.Collections.Remove(rmDTState, rmDTIdentifier); Log.Info("Remove RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber() ); } }
/// <exception cref="System.IO.IOException"/> protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier tokenId) { string tokenKey = GetRMDTTokenNodeKey(tokenId); if (Log.IsDebugEnabled()) { Log.Debug("Removing token at " + tokenKey); } try { db.Delete(JniDBFactory.Bytes(tokenKey)); } catch (DBException e) { throw new IOException(e); } }
/// <exception cref="System.IO.IOException"/> private void StoreOrUpdateRMDT(RMDelegationTokenIdentifier tokenId, long renewDate , bool isUpdate) { string tokenKey = GetRMDTTokenNodeKey(tokenId); RMDelegationTokenIdentifierData tokenData = new RMDelegationTokenIdentifierData(tokenId , renewDate); if (Log.IsDebugEnabled()) { Log.Debug("Storing token to " + tokenKey); } try { WriteBatch batch = db.CreateWriteBatch(); try { batch.Put(JniDBFactory.Bytes(tokenKey), tokenData.ToByteArray()); if (!isUpdate) { ByteArrayOutputStream bs = new ByteArrayOutputStream(); using (DataOutputStream ds = new DataOutputStream(bs)) { ds.WriteInt(tokenId.GetSequenceNumber()); } if (Log.IsDebugEnabled()) { Log.Debug("Storing " + tokenId.GetSequenceNumber() + " to " + RmDtSequenceNumberKey ); } batch.Put(JniDBFactory.Bytes(RmDtSequenceNumberKey), bs.ToByteArray()); } db.Write(batch); } finally { batch.Close(); } } catch (DBException e) { throw new IOException(e); } }
/// <exception cref="System.IO.IOException"/> private int LoadRMDTSecretManagerTokens(RMStateStore.RMState state) { int numTokens = 0; LeveldbIterator iter = null; try { iter = new LeveldbIterator(db); iter.Seek(JniDBFactory.Bytes(RmDtTokenKeyPrefix)); while (iter.HasNext()) { KeyValuePair <byte[], byte[]> entry = iter.Next(); string key = JniDBFactory.AsString(entry.Key); if (!key.StartsWith(RmDtTokenKeyPrefix)) { break; } RMDelegationTokenIdentifierData tokenData = LoadDelegationToken(entry.Value); RMDelegationTokenIdentifier tokenId = tokenData.GetTokenIdentifier(); long renewDate = tokenData.GetRenewDate(); state.rmSecretManagerState.delegationTokenState[tokenId] = renewDate; ++numTokens; if (Log.IsDebugEnabled()) { Log.Debug("Loaded RM delegation token from " + key + ": tokenId=" + tokenId + ", renewDate=" + renewDate); } } } catch (DBException e) { throw new IOException(e); } finally { if (iter != null) { iter.Close(); } } return(numTokens); }
/// <exception cref="System.Exception"/> private void StoreOrUpdateRMDT(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate , bool isUpdate) { IDictionary <RMDelegationTokenIdentifier, long> rmDTState = state.rmSecretManagerState .GetTokenState(); if (rmDTState.Contains(rmDTIdentifier)) { IOException e = new IOException("RMDelegationToken: " + rmDTIdentifier + "is already stored." ); Log.Info("Error storing info for RMDelegationToken: " + rmDTIdentifier, e); throw e; } rmDTState[rmDTIdentifier] = renewDate; if (!isUpdate) { state.rmSecretManagerState.dtSequenceNumber = rmDTIdentifier.GetSequenceNumber(); } Log.Info("Store RMDT with sequence number " + rmDTIdentifier.GetSequenceNumber()); }
public RMDelegationTokenIdentifierForTest(RMDelegationTokenIdentifier token, string message) { if (token.GetOwner() != null) { SetOwner(new Text(token.GetOwner())); } if (token.GetRenewer() != null) { SetRenewer(new Text(token.GetRenewer())); } if (token.GetRealUser() != null) { SetRealUser(new Text(token.GetRealUser())); } SetIssueDate(token.GetIssueDate()); SetMaxDate(token.GetMaxDate()); SetSequenceNumber(token.GetSequenceNumber()); SetMasterKeyId(token.GetMasterKeyId()); builder.SetMessage(message); }
/// <exception cref="System.Exception"/> private void StoreOrUpdateRMDelegationTokenState(RMDelegationTokenIdentifier identifier , long renewDate, bool isUpdate) { Path nodeCreatePath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenPrefix + identifier.GetSequenceNumber()); RMDelegationTokenIdentifierData identifierData = new RMDelegationTokenIdentifierData (identifier, renewDate); if (isUpdate) { Log.Info("Updating RMDelegationToken_" + identifier.GetSequenceNumber()); UpdateFile(nodeCreatePath, identifierData.ToByteArray(), true); } else { Log.Info("Storing RMDelegationToken_" + identifier.GetSequenceNumber()); WriteFileWithRetries(nodeCreatePath, identifierData.ToByteArray(), true); // store sequence number Path latestSequenceNumberPath = GetNodePath(rmDTSecretManagerRoot, DelegationTokenSequenceNumberPrefix + identifier.GetSequenceNumber()); Log.Info("Storing " + DelegationTokenSequenceNumberPrefix + identifier.GetSequenceNumber ()); if (dtSequenceNumberPath == null) { if (!CreateFileWithRetries(latestSequenceNumberPath)) { throw new Exception("Failed to create " + latestSequenceNumberPath); } } else { if (!RenameFileWithRetries(dtSequenceNumberPath, latestSequenceNumberPath)) { throw new Exception("Failed to rename " + dtSequenceNumberPath); } } dtSequenceNumberPath = latestSequenceNumberPath; } }
public virtual void TestNotifyStoreOperationFailed() { RMStateStore store = new _MemoryRMStateStore_34(); Configuration conf = new Configuration(); conf.SetBoolean(YarnConfiguration.RmHaEnabled, true); store.Init(conf); ResourceManager mockRM = Org.Mockito.Mockito.Mock <ResourceManager>(); store.SetResourceManager(mockRM); RMDelegationTokenIdentifier mockTokenId = Org.Mockito.Mockito.Mock <RMDelegationTokenIdentifier >(); store.RemoveRMDelegationToken(mockTokenId); NUnit.Framework.Assert.IsTrue("RMStateStore should have been in fenced state", store .IsFencedState()); store = new _MemoryRMStateStore_51(); store.Init(conf); store.SetResourceManager(mockRM); store.RemoveRMDelegationToken(mockTokenId); NUnit.Framework.Assert.IsTrue("RMStateStore should have been in fenced state", store .IsFencedState()); }
public virtual void TestFencedState() { TestZKRMStateStore.TestZKRMStateStoreTester zkTester = new TestZKRMStateStore.TestZKRMStateStoreTester (this); RMStateStore store = zkTester.GetRMStateStore(); // Move state to FENCED from ACTIVE store.UpdateFencedState(); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); long submitTime = Runtime.CurrentTimeMillis(); long startTime = submitTime + 1000; // Add a new app RMApp mockApp = Org.Mockito.Mockito.Mock <RMApp>(); ApplicationSubmissionContext context = new ApplicationSubmissionContextPBImpl(); Org.Mockito.Mockito.When(mockApp.GetSubmitTime()).ThenReturn(submitTime); Org.Mockito.Mockito.When(mockApp.GetStartTime()).ThenReturn(startTime); Org.Mockito.Mockito.When(mockApp.GetApplicationSubmissionContext()).ThenReturn(context ); Org.Mockito.Mockito.When(mockApp.GetUser()).ThenReturn("test"); store.StoreNewApplication(mockApp); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // Add a new attempt ClientToAMTokenSecretManagerInRM clientToAMTokenMgr = new ClientToAMTokenSecretManagerInRM (); ApplicationAttemptId attemptId = ConverterUtils.ToApplicationAttemptId("appattempt_1234567894321_0001_000001" ); SecretKey clientTokenMasterKey = clientToAMTokenMgr.CreateMasterKey(attemptId); RMAppAttemptMetrics mockRmAppAttemptMetrics = Org.Mockito.Mockito.Mock <RMAppAttemptMetrics >(); Container container = new ContainerPBImpl(); container.SetId(ConverterUtils.ToContainerId("container_1234567891234_0001_01_000001" )); RMAppAttempt mockAttempt = Org.Mockito.Mockito.Mock <RMAppAttempt>(); Org.Mockito.Mockito.When(mockAttempt.GetAppAttemptId()).ThenReturn(attemptId); Org.Mockito.Mockito.When(mockAttempt.GetMasterContainer()).ThenReturn(container); Org.Mockito.Mockito.When(mockAttempt.GetClientTokenMasterKey()).ThenReturn(clientTokenMasterKey ); Org.Mockito.Mockito.When(mockAttempt.GetRMAppAttemptMetrics()).ThenReturn(mockRmAppAttemptMetrics ); Org.Mockito.Mockito.When(mockRmAppAttemptMetrics.GetAggregateAppResourceUsage()). ThenReturn(new AggregateAppResourceUsage(0, 0)); store.StoreNewApplicationAttempt(mockAttempt); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); long finishTime = submitTime + 1000; // Update attempt ApplicationAttemptStateData newAttemptState = ApplicationAttemptStateData.NewInstance (attemptId, container, store.GetCredentialsFromAppAttempt(mockAttempt), startTime , RMAppAttemptState.Finished, "testUrl", "test", FinalApplicationStatus.Succeeded , 100, finishTime, 0, 0); store.UpdateApplicationAttemptState(newAttemptState); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // Update app ApplicationStateData appState = ApplicationStateData.NewInstance(submitTime, startTime , context, "test"); store.UpdateApplicationState(appState); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // Remove app store.RemoveApplication(mockApp); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // store RM delegation token; RMDelegationTokenIdentifier dtId1 = new RMDelegationTokenIdentifier(new Text("owner1" ), new Text("renewer1"), new Text("realuser1")); long renewDate1 = Runtime.CurrentTimeMillis(); dtId1.SetSequenceNumber(1111); store.StoreRMDelegationToken(dtId1, renewDate1); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); store.UpdateRMDelegationToken(dtId1, renewDate1); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // remove delegation key; store.RemoveRMDelegationToken(dtId1); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // store delegation master key; DelegationKey key = new DelegationKey(1234, 4321, Sharpen.Runtime.GetBytesForString ("keyBytes")); store.StoreRMDTMasterKey(key); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // remove delegation master key; store.RemoveRMDTMasterKey(key); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); // store or update AMRMToken; store.StoreOrUpdateAMRMTokenSecretManager(null, false); NUnit.Framework.Assert.AreEqual("RMStateStore should have been in fenced state", true, store.IsFencedState()); store.Close(); }
/// <exception cref="System.IO.IOException"/> protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier tokenId, long renewDate) { StoreOrUpdateRMDT(tokenId, renewDate, true); }
private string GetRMDTTokenNodeKey(RMDelegationTokenIdentifier tokenId) { return(RmDtTokenKeyPrefix + tokenId.GetSequenceNumber()); }
/// <exception cref="System.Exception"/> public virtual void TestRMDTSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper stateStoreHelper) { RMStateStore store = stateStoreHelper.GetRMStateStore(); RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher (); store.SetRMDispatcher(dispatcher); // store RM delegation token; RMDelegationTokenIdentifier dtId1 = new RMDelegationTokenIdentifier(new Text("owner1" ), new Text("renewer1"), new Text("realuser1")); int sequenceNumber = 1111; dtId1.SetSequenceNumber(sequenceNumber); byte[] tokenBeforeStore = dtId1.GetBytes(); long renewDate1 = Runtime.CurrentTimeMillis(); store.StoreRMDelegationToken(dtId1, renewDate1); ModifyRMDelegationTokenState(); IDictionary <RMDelegationTokenIdentifier, long> token1 = new Dictionary <RMDelegationTokenIdentifier , long>(); token1[dtId1] = renewDate1; // store delegation key; DelegationKey key = new DelegationKey(1234, 4321, Sharpen.Runtime.GetBytesForString ("keyBytes")); HashSet <DelegationKey> keySet = new HashSet <DelegationKey>(); keySet.AddItem(key); store.StoreRMDTMasterKey(key); RMStateStore.RMDTSecretManagerState secretManagerState = store.LoadState().GetRMDTSecretManagerState (); NUnit.Framework.Assert.AreEqual(token1, secretManagerState.GetTokenState()); NUnit.Framework.Assert.AreEqual(keySet, secretManagerState.GetMasterKeyState()); NUnit.Framework.Assert.AreEqual(sequenceNumber, secretManagerState.GetDTSequenceNumber ()); RMDelegationTokenIdentifier tokenAfterStore = secretManagerState.GetTokenState(). Keys.GetEnumerator().Next(); NUnit.Framework.Assert.IsTrue(Arrays.Equals(tokenBeforeStore, tokenAfterStore.GetBytes ())); // update RM delegation token; renewDate1 = Runtime.CurrentTimeMillis(); store.UpdateRMDelegationToken(dtId1, renewDate1); token1[dtId1] = renewDate1; RMStateStore.RMDTSecretManagerState updateSecretManagerState = store.LoadState(). GetRMDTSecretManagerState(); NUnit.Framework.Assert.AreEqual(token1, updateSecretManagerState.GetTokenState()); NUnit.Framework.Assert.AreEqual(keySet, updateSecretManagerState.GetMasterKeyState ()); NUnit.Framework.Assert.AreEqual(sequenceNumber, updateSecretManagerState.GetDTSequenceNumber ()); // check to delete delegationKey store.RemoveRMDTMasterKey(key); keySet.Clear(); RMStateStore.RMDTSecretManagerState noKeySecretManagerState = store.LoadState().GetRMDTSecretManagerState (); NUnit.Framework.Assert.AreEqual(token1, noKeySecretManagerState.GetTokenState()); NUnit.Framework.Assert.AreEqual(keySet, noKeySecretManagerState.GetMasterKeyState ()); NUnit.Framework.Assert.AreEqual(sequenceNumber, noKeySecretManagerState.GetDTSequenceNumber ()); // check to delete delegationToken store.RemoveRMDelegationToken(dtId1); RMStateStore.RMDTSecretManagerState noKeyAndTokenSecretManagerState = store.LoadState ().GetRMDTSecretManagerState(); token1.Clear(); NUnit.Framework.Assert.AreEqual(token1, noKeyAndTokenSecretManagerState.GetTokenState ()); NUnit.Framework.Assert.AreEqual(keySet, noKeyAndTokenSecretManagerState.GetMasterKeyState ()); NUnit.Framework.Assert.AreEqual(sequenceNumber, noKeySecretManagerState.GetDTSequenceNumber ()); store.Close(); }
/// <exception cref="System.Exception"/> public virtual void TestGetHSDelegationToken() { try { Configuration conf = new Configuration(); // Setup mock service IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444); Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress); IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200); Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress); // Setup mock rm token RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), new Text("real")); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind( ), rmTokenSevice); token.SetKind(RMDelegationTokenIdentifier.KindName); // Setup mock history token Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte [0], hsTokenSevice.ToString()); GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetDelegationTokenResponse>(); getDtResponse.SetDelegationToken(historyToken); // mock services MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>(); Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress(); Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken( Matchers.Any <GetDelegationTokenRequest>()); ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>(); Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService (); ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>(); Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy (); Credentials creds = new Credentials(); YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache); // No HS token if no RM token yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No HS token if RM token, but secirity disabled. creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); creds = new Credentials(); // No HS token if no RM token, security enabled yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // HS token if RM token present, security enabled creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No additional call to get HS token if RM and HS token present yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); } finally { // Back to defaults. UserGroupInformation.SetConfiguration(new Configuration()); } }
public virtual void TestRMDelegationTokenIdentifier() { Text owner = new Text("user1"); Text renewer = new Text("user2"); Text realUser = new Text("user3"); long issueDate = 1; long maxDate = 2; int sequenceNumber = 3; int masterKeyId = 4; RMDelegationTokenIdentifier token = new RMDelegationTokenIdentifier(owner, renewer , realUser); token.SetIssueDate(issueDate); token.SetMaxDate(maxDate); token.SetSequenceNumber(sequenceNumber); token.SetMasterKeyId(masterKeyId); RMDelegationTokenIdentifier anotherToken = new RMDelegationTokenIdentifier(); byte[] tokenContent = token.GetBytes(); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenContent, tokenContent.Length); anotherToken.ReadFields(dib); dib.Close(); // verify the whole record equals with original record NUnit.Framework.Assert.AreEqual("Token is not the same after serialization " + "and deserialization." , token, anotherToken); NUnit.Framework.Assert.AreEqual("owner from proto is not the same with original token" , anotherToken.GetOwner(), owner); NUnit.Framework.Assert.AreEqual("renewer from proto is not the same with original token" , anotherToken.GetRenewer(), renewer); NUnit.Framework.Assert.AreEqual("realUser from proto is not the same with original token" , anotherToken.GetRealUser(), realUser); NUnit.Framework.Assert.AreEqual("issueDate from proto is not the same with original token" , anotherToken.GetIssueDate(), issueDate); NUnit.Framework.Assert.AreEqual("maxDate from proto is not the same with original token" , anotherToken.GetMaxDate(), maxDate); NUnit.Framework.Assert.AreEqual("sequenceNumber from proto is not the same with original token" , anotherToken.GetSequenceNumber(), sequenceNumber); NUnit.Framework.Assert.AreEqual("masterKeyId from proto is not the same with original token" , anotherToken.GetMasterKeyId(), masterKeyId); // Test getProto RMDelegationTokenIdentifier token1 = new RMDelegationTokenIdentifier(owner, renewer , realUser); token1.SetIssueDate(issueDate); token1.SetMaxDate(maxDate); token1.SetSequenceNumber(sequenceNumber); token1.SetMasterKeyId(masterKeyId); YarnSecurityTokenProtos.YARNDelegationTokenIdentifierProto tokenProto = token1.GetProto (); // Write token proto to stream ByteArrayOutputStream baos = new ByteArrayOutputStream(); DataOutputStream @out = new DataOutputStream(baos); tokenProto.WriteTo(@out); // Read token byte[] tokenData = baos.ToByteArray(); RMDelegationTokenIdentifier readToken = new RMDelegationTokenIdentifier(); DataInputBuffer db = new DataInputBuffer(); db.Reset(tokenData, tokenData.Length); readToken.ReadFields(db); // Verify if read token equals with original token NUnit.Framework.Assert.AreEqual("Token from getProto is not the same after " + "serialization and deserialization." , token1, readToken); db.Close(); @out.Close(); }
// Do nothing /// <exception cref="System.Exception"/> protected internal override void UpdateRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier, long renewDate) { }
// Do nothing /// <exception cref="System.Exception"/> protected internal override void RemoveRMDelegationTokenState(RMDelegationTokenIdentifier rmDTIdentifier) { }
public virtual void TestDelegationToken() { YarnConfiguration conf = new YarnConfiguration(); conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]"); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ResourceScheduler scheduler = CreateMockScheduler(conf); long initialInterval = 10000l; long maxLifetime = 20000l; long renewInterval = 10000l; RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager (initialInterval, maxLifetime, renewInterval); rmDtSecretManager.StartThreads(); Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval + ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval); ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this , conf, scheduler, rmDtSecretManager); clientRMService.Init(conf); clientRMService.Start(); ApplicationClientProtocol clientRMWithDT = null; try { // Create a user for the renewr and fake the authentication-method UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**" ); NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName()); // Default realm is APACHE.ORG loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos ); Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); long tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser1", conf); GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord < GetNewApplicationRequest>(); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Renew after 50% of token age. while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2) { Sharpen.Thread.Sleep(500l); } long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token); long renewalTime = Runtime.CurrentTimeMillis(); Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime); // Wait for first expiry, but before renewed expiry. while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime. CurrentTimeMillis() < nextExpTime) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); // Valid token because of renewal. try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Wait for expiry. while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid"); // Token should have expired. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token"); } catch (Exception e) { NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType ().FullName); NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired")); } // Test cancellation // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } CancelDelegationToken(loggedInUser, clientRMService, token); if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } // Creating a new connection. clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis()); // Verify cancellation worked. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token" ); } catch (IOException) { } catch (YarnException) { } // Test new version token // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array()); RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); tokenIdentifier.ReadFields(dib); // Construct new version RMDelegationTokenIdentifier with additional field RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest (tokenIdentifier, "message"); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier , rmDtSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken (newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword (), newRMDTtoken.GetService().ToString()); // Now try talking to RMService using the new version delegation token clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress (), "loginuser3", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } } finally { rmDtSecretManager.StopThreads(); // TODO PRECOMMIT Close proxies. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); } } }