/// <exception cref="System.Exception"/>
        public virtual void TestAMRMTokenSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper
                                                                 stateStoreHelper)
        {
            System.Console.Out.WriteLine("Start testing");
            RMStateStore store = stateStoreHelper.GetRMStateStore();

            RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher
                                                                 ();
            store.SetRMDispatcher(dispatcher);
            RMContext rmContext = Org.Mockito.Mockito.Mock <RMContext>();

            Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
            Configuration          conf        = new YarnConfiguration();
            AMRMTokenSecretManager appTokenMgr = new AMRMTokenSecretManager(conf, rmContext);
            //create and save the first masterkey
            MasterKeyData firstMasterKeyData   = appTokenMgr.CreateNewMasterKey();
            AMRMTokenSecretManagerState state1 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData
                                                                                         .GetMasterKey(), null);

            rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state1, false);
            // load state
            store = stateStoreHelper.GetRMStateStore();
            Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
            store.SetRMDispatcher(dispatcher);
            RMStateStore.RMState state = store.LoadState();
            NUnit.Framework.Assert.IsNotNull(state.GetAMRMTokenSecretManagerState());
            NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state.GetAMRMTokenSecretManagerState
                                                ().GetCurrentMasterKey());
            NUnit.Framework.Assert.IsNull(state.GetAMRMTokenSecretManagerState().GetNextMasterKey
                                              ());
            //create and save the second masterkey
            MasterKeyData secondMasterKeyData  = appTokenMgr.CreateNewMasterKey();
            AMRMTokenSecretManagerState state2 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData
                                                                                         .GetMasterKey(), secondMasterKeyData.GetMasterKey());

            rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state2, true);
            // load state
            store = stateStoreHelper.GetRMStateStore();
            Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
            store.SetRMDispatcher(dispatcher);
            RMStateStore.RMState state_2 = store.LoadState();
            NUnit.Framework.Assert.IsNotNull(state_2.GetAMRMTokenSecretManagerState());
            NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState
                                                ().GetCurrentMasterKey());
            NUnit.Framework.Assert.AreEqual(secondMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState
                                                ().GetNextMasterKey());
            // re-create the masterKeyData based on the recovered masterkey
            // should have the same secretKey
            appTokenMgr.Recover(state_2);
            NUnit.Framework.Assert.AreEqual(appTokenMgr.GetCurrnetMasterKeyData().GetSecretKey
                                                (), firstMasterKeyData.GetSecretKey());
            NUnit.Framework.Assert.AreEqual(appTokenMgr.GetNextMasterKeyData().GetSecretKey()
                                            , secondMasterKeyData.GetSecretKey());
            store.Close();
        }
        /// <summary>
        /// This method will be used to verify NMTokens generated by different master
        /// keys.
        /// </summary>
        /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
        public override byte[] RetrievePassword(NMTokenIdentifier identifier)
        {
            lock (this)
            {
                int keyId = identifier.GetKeyId();
                ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();

                /*
                 * MasterKey used for retrieving password will be as follows. 1) By default
                 * older saved master key will be used. 2) If identifier's master key id
                 * matches that of previous master key id then previous key will be used. 3)
                 * If identifier's master key id matches that of current master key id then
                 * current key will be used.
                 */
                MasterKeyData oldMasterKey   = oldMasterKeys[appAttemptId];
                MasterKeyData masterKeyToUse = oldMasterKey;
                if (previousMasterKey != null && keyId == previousMasterKey.GetMasterKey().GetKeyId
                        ())
                {
                    masterKeyToUse = previousMasterKey;
                }
                else
                {
                    if (keyId == currentMasterKey.GetMasterKey().GetKeyId())
                    {
                        masterKeyToUse = currentMasterKey;
                    }
                }
                if (nodeId != null && !identifier.GetNodeId().Equals(nodeId))
                {
                    throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
                                                         .ToString() + " is not valid for current node manager." + "expected : " + nodeId
                                                         .ToString() + " found : " + identifier.GetNodeId().ToString());
                }
                if (masterKeyToUse != null)
                {
                    byte[] password = RetrivePasswordInternal(identifier, masterKeyToUse);
                    Log.Debug("NMToken password retrieved successfully!!");
                    return(password);
                }
                throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
                                                     .ToString() + " seems to have been generated illegally.");
            }
        }
Esempio n. 3
0
 private void UpdateCurrentMasterKey(MasterKeyData key)
 {
     base.currentMasterKey = key;
     try
     {
         stateStore.StoreContainerTokenCurrentMasterKey(key.GetMasterKey());
     }
     catch (IOException e)
     {
         Log.Error("Unable to update current master key in state store", e);
     }
 }
Esempio n. 4
0
 private void UpdatePreviousMasterKey(MasterKeyData key)
 {
     previousMasterKey = key;
     try
     {
         stateStore.StoreContainerTokenPreviousMasterKey(key.GetMasterKey());
     }
     catch (IOException e)
     {
         Log.Error("Unable to update previous master key in state store", e);
     }
 }
 private void UpdateAppAttemptKey(ApplicationAttemptId attempt, MasterKeyData key)
 {
     this.oldMasterKeys[attempt] = key;
     try
     {
         stateStore.StoreNMTokenApplicationMasterKey(attempt, key.GetMasterKey());
     }
     catch (IOException e)
     {
         Log.Error("Unable to store master key for application " + attempt, e);
     }
 }
 /// <summary>This will be called by startContainer.</summary>
 /// <remarks>
 /// This will be called by startContainer. It will add the master key into
 /// the cache used for starting this container. This should be called before
 /// validating the startContainer request.
 /// </remarks>
 /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
 public virtual void AppAttemptStartContainer(NMTokenIdentifier identifier)
 {
     lock (this)
     {
         ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();
         if (!appToAppAttemptMap.Contains(appAttemptId.GetApplicationId()))
         {
             // First application attempt for the given application
             appToAppAttemptMap[appAttemptId.GetApplicationId()] = new AList <ApplicationAttemptId
                                                                              >();
         }
         MasterKeyData oldKey = oldMasterKeys[appAttemptId];
         if (oldKey == null)
         {
             // This is a new application attempt.
             appToAppAttemptMap[appAttemptId.GetApplicationId()].AddItem(appAttemptId);
         }
         if (oldKey == null || oldKey.GetMasterKey().GetKeyId() != identifier.GetKeyId())
         {
             // Update key only if it is modified.
             Log.Debug("NMToken key updated for application attempt : " + identifier.GetApplicationAttemptId
                           ().ToString());
             if (identifier.GetKeyId() == currentMasterKey.GetMasterKey().GetKeyId())
             {
                 UpdateAppAttemptKey(appAttemptId, currentMasterKey);
             }
             else
             {
                 if (previousMasterKey != null && identifier.GetKeyId() == previousMasterKey.GetMasterKey
                         ().GetKeyId())
                 {
                     UpdateAppAttemptKey(appAttemptId, previousMasterKey);
                 }
                 else
                 {
                     throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container."
                                                          );
                 }
             }
         }
     }
 }
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
        /// <exception cref="System.IO.IOException"/>
        public virtual AllocateResponse Allocate(AllocateRequest request)
        {
            AMRMTokenIdentifier  amrmTokenIdentifier = AuthorizeRequest();
            ApplicationAttemptId appAttemptId        = amrmTokenIdentifier.GetApplicationAttemptId();
            ApplicationId        applicationId       = appAttemptId.GetApplicationId();

            this.amLivelinessMonitor.ReceivedPing(appAttemptId);
            /* check if its in cache */
            ApplicationMasterService.AllocateResponseLock Lock = responseMap[appAttemptId];
            if (Lock == null)
            {
                string message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache.";
                Log.Error(message);
                throw new ApplicationAttemptNotFoundException(message);
            }
            lock (Lock)
            {
                AllocateResponse lastResponse = Lock.GetAllocateResponse();
                if (!HasApplicationMasterRegistered(appAttemptId))
                {
                    string message = "AM is not registered for known application attempt: " + appAttemptId
                                     + " or RM had restarted after AM registered . AM should re-register.";
                    Log.Info(message);
                    RMAuditLogger.LogFailure(this.rmContext.GetRMApps()[appAttemptId.GetApplicationId
                                                                            ()].GetUser(), RMAuditLogger.AuditConstants.AmAllocate, string.Empty, "ApplicationMasterService"
                                             , message, applicationId, appAttemptId);
                    throw new ApplicationMasterNotRegisteredException(message);
                }
                if ((request.GetResponseId() + 1) == lastResponse.GetResponseId())
                {
                    /* old heartbeat */
                    return(lastResponse);
                }
                else
                {
                    if (request.GetResponseId() + 1 < lastResponse.GetResponseId())
                    {
                        string message = "Invalid responseId in AllocateRequest from application attempt: "
                                         + appAttemptId + ", expect responseId to be " + (lastResponse.GetResponseId() +
                                                                                          1);
                        throw new InvalidApplicationMasterRequestException(message);
                    }
                }
                //filter illegal progress values
                float filteredProgress = request.GetProgress();
                if (float.IsNaN(filteredProgress) || filteredProgress == float.NegativeInfinity ||
                    filteredProgress < 0)
                {
                    request.SetProgress(0);
                }
                else
                {
                    if (filteredProgress > 1 || filteredProgress == float.PositiveInfinity)
                    {
                        request.SetProgress(1);
                    }
                }
                // Send the status update to the appAttempt.
                this.rmContext.GetDispatcher().GetEventHandler().Handle(new RMAppAttemptStatusupdateEvent
                                                                            (appAttemptId, request.GetProgress()));
                IList <ResourceRequest>  ask                = request.GetAskList();
                IList <ContainerId>      release            = request.GetReleaseList();
                ResourceBlacklistRequest blacklistRequest   = request.GetResourceBlacklistRequest();
                IList <string>           blacklistAdditions = (blacklistRequest != null) ? blacklistRequest.
                                                              GetBlacklistAdditions() : Sharpen.Collections.EmptyList;
                IList <string> blacklistRemovals = (blacklistRequest != null) ? blacklistRequest.GetBlacklistRemovals
                                                       () : Sharpen.Collections.EmptyList;
                RMApp app = this.rmContext.GetRMApps()[applicationId];
                // set label expression for Resource Requests if resourceName=ANY
                ApplicationSubmissionContext asc = app.GetApplicationSubmissionContext();
                foreach (ResourceRequest req in ask)
                {
                    if (null == req.GetNodeLabelExpression() && ResourceRequest.Any.Equals(req.GetResourceName
                                                                                               ()))
                    {
                        req.SetNodeLabelExpression(asc.GetNodeLabelExpression());
                    }
                }
                // sanity check
                try
                {
                    RMServerUtils.NormalizeAndValidateRequests(ask, rScheduler.GetMaximumResourceCapability
                                                                   (), app.GetQueue(), rScheduler, rmContext);
                }
                catch (InvalidResourceRequestException e)
                {
                    Log.Warn("Invalid resource ask by application " + appAttemptId, e);
                    throw;
                }
                try
                {
                    RMServerUtils.ValidateBlacklistRequest(blacklistRequest);
                }
                catch (InvalidResourceBlacklistRequestException e)
                {
                    Log.Warn("Invalid blacklist request by application " + appAttemptId, e);
                    throw;
                }
                // In the case of work-preserving AM restart, it's possible for the
                // AM to release containers from the earlier attempt.
                if (!app.GetApplicationSubmissionContext().GetKeepContainersAcrossApplicationAttempts
                        ())
                {
                    try
                    {
                        RMServerUtils.ValidateContainerReleaseRequest(release, appAttemptId);
                    }
                    catch (InvalidContainerReleaseException e)
                    {
                        Log.Warn("Invalid container release by application " + appAttemptId, e);
                        throw;
                    }
                }
                // Send new requests to appAttempt.
                Allocation allocation = this.rScheduler.Allocate(appAttemptId, ask, release, blacklistAdditions
                                                                 , blacklistRemovals);
                if (!blacklistAdditions.IsEmpty() || !blacklistRemovals.IsEmpty())
                {
                    Log.Info("blacklist are updated in Scheduler." + "blacklistAdditions: " + blacklistAdditions
                             + ", " + "blacklistRemovals: " + blacklistRemovals);
                }
                RMAppAttempt     appAttempt       = app.GetRMAppAttempt(appAttemptId);
                AllocateResponse allocateResponse = recordFactory.NewRecordInstance <AllocateResponse
                                                                                     >();
                if (!allocation.GetContainers().IsEmpty())
                {
                    allocateResponse.SetNMTokens(allocation.GetNMTokens());
                }
                // update the response with the deltas of node status changes
                IList <RMNode> updatedNodes = new AList <RMNode>();
                if (app.PullRMNodeUpdates(updatedNodes) > 0)
                {
                    IList <NodeReport> updatedNodeReports = new AList <NodeReport>();
                    foreach (RMNode rmNode in updatedNodes)
                    {
                        SchedulerNodeReport schedulerNodeReport = rScheduler.GetNodeReport(rmNode.GetNodeID
                                                                                               ());
                        Resource used          = BuilderUtils.NewResource(0, 0);
                        int      numContainers = 0;
                        if (schedulerNodeReport != null)
                        {
                            used          = schedulerNodeReport.GetUsedResource();
                            numContainers = schedulerNodeReport.GetNumContainers();
                        }
                        NodeId     nodeId = rmNode.GetNodeID();
                        NodeReport report = BuilderUtils.NewNodeReport(nodeId, rmNode.GetState(), rmNode.
                                                                       GetHttpAddress(), rmNode.GetRackName(), used, rmNode.GetTotalCapability(), numContainers
                                                                       , rmNode.GetHealthReport(), rmNode.GetLastHealthReportTime(), rmNode.GetNodeLabels
                                                                           ());
                        updatedNodeReports.AddItem(report);
                    }
                    allocateResponse.SetUpdatedNodes(updatedNodeReports);
                }
                allocateResponse.SetAllocatedContainers(allocation.GetContainers());
                allocateResponse.SetCompletedContainersStatuses(appAttempt.PullJustFinishedContainers
                                                                    ());
                allocateResponse.SetResponseId(lastResponse.GetResponseId() + 1);
                allocateResponse.SetAvailableResources(allocation.GetResourceLimit());
                allocateResponse.SetNumClusterNodes(this.rScheduler.GetNumClusterNodes());
                // add preemption to the allocateResponse message (if any)
                allocateResponse.SetPreemptionMessage(GeneratePreemptionMessage(allocation));
                // update AMRMToken if the token is rolled-up
                MasterKeyData nextMasterKey = this.rmContext.GetAMRMTokenSecretManager().GetNextMasterKeyData
                                                  ();
                if (nextMasterKey != null && nextMasterKey.GetMasterKey().GetKeyId() != amrmTokenIdentifier
                    .GetKeyId())
                {
                    RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl)appAttempt;
                    Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = appAttempt
                                                                                             .GetAMRMToken();
                    if (nextMasterKey.GetMasterKey().GetKeyId() != appAttemptImpl.GetAMRMTokenKeyId())
                    {
                        Log.Info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: "
                                 + applicationId);
                        amrmToken = rmContext.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(appAttemptId
                                                                                                );
                        appAttemptImpl.SetAMRMToken(amrmToken);
                    }
                    allocateResponse.SetAMRMToken(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance
                                                      (amrmToken.GetIdentifier(), amrmToken.GetKind().ToString(), amrmToken.GetPassword
                                                          (), amrmToken.GetService().ToString()));
                }

                /*
                 * As we are updating the response inside the lock object so we don't
                 * need to worry about unregister call occurring in between (which
                 * removes the lock object).
                 */
                Lock.SetAllocateResponse(allocateResponse);
                return(allocateResponse);
            }
        }