/// <exception cref="System.Exception"/> public virtual void TestAMRMTokenSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper stateStoreHelper) { System.Console.Out.WriteLine("Start testing"); RMStateStore store = stateStoreHelper.GetRMStateStore(); RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher (); store.SetRMDispatcher(dispatcher); RMContext rmContext = Org.Mockito.Mockito.Mock <RMContext>(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); Configuration conf = new YarnConfiguration(); AMRMTokenSecretManager appTokenMgr = new AMRMTokenSecretManager(conf, rmContext); //create and save the first masterkey MasterKeyData firstMasterKeyData = appTokenMgr.CreateNewMasterKey(); AMRMTokenSecretManagerState state1 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData .GetMasterKey(), null); rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state1, false); // load state store = stateStoreHelper.GetRMStateStore(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); store.SetRMDispatcher(dispatcher); RMStateStore.RMState state = store.LoadState(); NUnit.Framework.Assert.IsNotNull(state.GetAMRMTokenSecretManagerState()); NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state.GetAMRMTokenSecretManagerState ().GetCurrentMasterKey()); NUnit.Framework.Assert.IsNull(state.GetAMRMTokenSecretManagerState().GetNextMasterKey ()); //create and save the second masterkey MasterKeyData secondMasterKeyData = appTokenMgr.CreateNewMasterKey(); AMRMTokenSecretManagerState state2 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData .GetMasterKey(), secondMasterKeyData.GetMasterKey()); rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state2, true); // load state store = stateStoreHelper.GetRMStateStore(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); store.SetRMDispatcher(dispatcher); RMStateStore.RMState state_2 = store.LoadState(); NUnit.Framework.Assert.IsNotNull(state_2.GetAMRMTokenSecretManagerState()); NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState ().GetCurrentMasterKey()); NUnit.Framework.Assert.AreEqual(secondMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState ().GetNextMasterKey()); // re-create the masterKeyData based on the recovered masterkey // should have the same secretKey appTokenMgr.Recover(state_2); NUnit.Framework.Assert.AreEqual(appTokenMgr.GetCurrnetMasterKeyData().GetSecretKey (), firstMasterKeyData.GetSecretKey()); NUnit.Framework.Assert.AreEqual(appTokenMgr.GetNextMasterKeyData().GetSecretKey() , secondMasterKeyData.GetSecretKey()); store.Close(); }
// Test verify for AM issued with rolled-over AMRMToken // is still able to communicate with restarted RM. /// <exception cref="System.Exception"/> public virtual void TestAMRMClientOnAMRMTokenRollOverOnRMRestart() { conf.SetLong(YarnConfiguration.RmAmrmTokenMasterKeyRollingIntervalSecs, rolling_interval_sec ); conf.SetLong(YarnConfiguration.RmAmExpiryIntervalMs, am_expire_ms); MemoryRMStateStore memStore = new MemoryRMStateStore(); memStore.Init(conf); // start first RM TestAMRMClientOnRMRestart.MyResourceManager2 rm1 = new TestAMRMClientOnRMRestart.MyResourceManager2 (conf, memStore); rm1.Start(); DrainDispatcher dispatcher = (DrainDispatcher)rm1.GetRMContext().GetDispatcher(); long startTime = Runtime.CurrentTimeMillis(); // Submit the application RMApp app = rm1.SubmitApp(1024); dispatcher.Await(); MockNM nm1 = new MockNM("h1:1234", 15120, rm1.GetResourceTrackerService()); nm1.RegisterNode(); nm1.NodeHeartbeat(true); // Node heartbeat dispatcher.Await(); ApplicationAttemptId appAttemptId = app.GetCurrentAppAttempt().GetAppAttemptId(); rm1.SendAMLaunched(appAttemptId); dispatcher.Await(); AMRMTokenSecretManager amrmTokenSecretManagerForRM1 = rm1.GetRMContext().GetAMRMTokenSecretManager (); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> token = amrmTokenSecretManagerForRM1 .CreateAndGetAMRMToken(appAttemptId); UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); ugi.AddTokenIdentifier(token.DecodeIdentifier()); AMRMClient <AMRMClient.ContainerRequest> amClient = new TestAMRMClientOnRMRestart.MyAMRMClientImpl (rm1); amClient.Init(conf); amClient.Start(); amClient.RegisterApplicationMaster("h1", 10000, string.Empty); amClient.Allocate(0.1f); // Wait for enough time and make sure the roll_over happens // At mean time, the old AMRMToken should continue to work while (Runtime.CurrentTimeMillis() - startTime < rolling_interval_sec * 1000) { amClient.Allocate(0.1f); try { Sharpen.Thread.Sleep(1000); } catch (Exception) { } } // DO NOTHING NUnit.Framework.Assert.IsTrue(amrmTokenSecretManagerForRM1.GetMasterKey().GetMasterKey ().GetKeyId() != token.DecodeIdentifier().GetKeyId()); amClient.Allocate(0.1f); // active the nextMasterKey, and replace the currentMasterKey Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> newToken = amrmTokenSecretManagerForRM1 .CreateAndGetAMRMToken(appAttemptId); int waitCount = 0; while (waitCount++ <= 50) { if (amrmTokenSecretManagerForRM1.GetCurrnetMasterKeyData().GetMasterKey().GetKeyId () != token.DecodeIdentifier().GetKeyId()) { break; } try { amClient.Allocate(0.1f); } catch (Exception) { break; } Sharpen.Thread.Sleep(500); } NUnit.Framework.Assert.IsTrue(amrmTokenSecretManagerForRM1.GetNextMasterKeyData() == null); NUnit.Framework.Assert.IsTrue(amrmTokenSecretManagerForRM1.GetCurrnetMasterKeyData ().GetMasterKey().GetKeyId() == newToken.DecodeIdentifier().GetKeyId()); // start 2nd RM conf.Set(YarnConfiguration.RmSchedulerAddress, "0.0.0.0:9030"); TestAMRMClientOnRMRestart.MyResourceManager2 rm2 = new TestAMRMClientOnRMRestart.MyResourceManager2 (conf, memStore); rm2.Start(); nm1.SetResourceTrackerService(rm2.GetResourceTrackerService()); ((TestAMRMClientOnRMRestart.MyAMRMClientImpl)amClient).UpdateRMProxy(rm2); dispatcher = (DrainDispatcher)rm2.GetRMContext().GetDispatcher(); AMRMTokenSecretManager amrmTokenSecretManagerForRM2 = rm2.GetRMContext().GetAMRMTokenSecretManager (); NUnit.Framework.Assert.IsTrue(amrmTokenSecretManagerForRM2.GetCurrnetMasterKeyData ().GetMasterKey().GetKeyId() == newToken.DecodeIdentifier().GetKeyId()); NUnit.Framework.Assert.IsTrue(amrmTokenSecretManagerForRM2.GetNextMasterKeyData() == null); try { UserGroupInformation testUser = UserGroupInformation.CreateRemoteUser("testUser"); SecurityUtil.SetTokenService(token, rm2.GetApplicationMasterService().GetBindAddress ()); testUser.AddToken(token); testUser.DoAs(new _PrivilegedAction_480(rm2)).Allocate(Org.Apache.Hadoop.Yarn.Util.Records .NewRecord <AllocateRequest>()); NUnit.Framework.Assert.Fail("The old Token should not work"); } catch (Exception ex) { NUnit.Framework.Assert.IsTrue(ex is SecretManager.InvalidToken); NUnit.Framework.Assert.IsTrue(ex.Message.Contains("Invalid AMRMToken from " + token .DecodeIdentifier().GetApplicationAttemptId())); } // make sure the recovered AMRMToken works for new RM amClient.Allocate(0.1f); amClient.UnregisterApplicationMaster(FinalApplicationStatus.Succeeded, null, null ); amClient.Stop(); rm1.Stop(); rm2.Stop(); }