/// <exception cref="System.Exception"/>
public virtual void TestAMRMTokenSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper
stateStoreHelper)
{
System.Console.Out.WriteLine("Start testing");
RMStateStore store = stateStoreHelper.GetRMStateStore();
RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher
();
store.SetRMDispatcher(dispatcher);
RMContext rmContext = Org.Mockito.Mockito.Mock <RMContext>();
Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
Configuration conf = new YarnConfiguration();
AMRMTokenSecretManager appTokenMgr = new AMRMTokenSecretManager(conf, rmContext);
//create and save the first masterkey
MasterKeyData firstMasterKeyData = appTokenMgr.CreateNewMasterKey();
AMRMTokenSecretManagerState state1 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData
.GetMasterKey(), null);
rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state1, false);
// load state
store = stateStoreHelper.GetRMStateStore();
Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
store.SetRMDispatcher(dispatcher);
RMStateStore.RMState state = store.LoadState();
NUnit.Framework.Assert.IsNotNull(state.GetAMRMTokenSecretManagerState());
NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state.GetAMRMTokenSecretManagerState
().GetCurrentMasterKey());
NUnit.Framework.Assert.IsNull(state.GetAMRMTokenSecretManagerState().GetNextMasterKey
());
//create and save the second masterkey
MasterKeyData secondMasterKeyData = appTokenMgr.CreateNewMasterKey();
AMRMTokenSecretManagerState state2 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData
.GetMasterKey(), secondMasterKeyData.GetMasterKey());
rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state2, true);
// load state
store = stateStoreHelper.GetRMStateStore();
Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store);
store.SetRMDispatcher(dispatcher);
RMStateStore.RMState state_2 = store.LoadState();
NUnit.Framework.Assert.IsNotNull(state_2.GetAMRMTokenSecretManagerState());
NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState
().GetCurrentMasterKey());
NUnit.Framework.Assert.AreEqual(secondMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState
().GetNextMasterKey());
// re-create the masterKeyData based on the recovered masterkey
// should have the same secretKey
appTokenMgr.Recover(state_2);
NUnit.Framework.Assert.AreEqual(appTokenMgr.GetCurrnetMasterKeyData().GetSecretKey
(), firstMasterKeyData.GetSecretKey());
NUnit.Framework.Assert.AreEqual(appTokenMgr.GetNextMasterKeyData().GetSecretKey()
, secondMasterKeyData.GetSecretKey());
store.Close();
}
/// <summary>
/// This method will be used to verify NMTokens generated by different master
/// keys.
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public override byte[] RetrievePassword(NMTokenIdentifier identifier)
{
lock (this)
{
int keyId = identifier.GetKeyId();
ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();
/*
* MasterKey used for retrieving password will be as follows. 1) By default
* older saved master key will be used. 2) If identifier's master key id
* matches that of previous master key id then previous key will be used. 3)
* If identifier's master key id matches that of current master key id then
* current key will be used.
*/
MasterKeyData oldMasterKey = oldMasterKeys[appAttemptId];
MasterKeyData masterKeyToUse = oldMasterKey;
if (previousMasterKey != null && keyId == previousMasterKey.GetMasterKey().GetKeyId
())
{
masterKeyToUse = previousMasterKey;
}
else
{
if (keyId == currentMasterKey.GetMasterKey().GetKeyId())
{
masterKeyToUse = currentMasterKey;
}
}
if (nodeId != null && !identifier.GetNodeId().Equals(nodeId))
{
throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
.ToString() + " is not valid for current node manager." + "expected : " + nodeId
.ToString() + " found : " + identifier.GetNodeId().ToString());
}
if (masterKeyToUse != null)
{
byte[] password = RetrivePasswordInternal(identifier, masterKeyToUse);
Log.Debug("NMToken password retrieved successfully!!");
return(password);
}
throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId
.ToString() + " seems to have been generated illegally.");
}
}
private void UpdateCurrentMasterKey(MasterKeyData key)
{
base.currentMasterKey = key;
try
{
stateStore.StoreContainerTokenCurrentMasterKey(key.GetMasterKey());
}
catch (IOException e)
{
Log.Error("Unable to update current master key in state store", e);
}
}
private void UpdatePreviousMasterKey(MasterKeyData key)
{
previousMasterKey = key;
try
{
stateStore.StoreContainerTokenPreviousMasterKey(key.GetMasterKey());
}
catch (IOException e)
{
Log.Error("Unable to update previous master key in state store", e);
}
}
private void UpdateAppAttemptKey(ApplicationAttemptId attempt, MasterKeyData key)
{
this.oldMasterKeys[attempt] = key;
try
{
stateStore.StoreNMTokenApplicationMasterKey(attempt, key.GetMasterKey());
}
catch (IOException e)
{
Log.Error("Unable to store master key for application " + attempt, e);
}
}
/// <summary>This will be called by startContainer.</summary>
/// <remarks>
/// This will be called by startContainer. It will add the master key into
/// the cache used for starting this container. This should be called before
/// validating the startContainer request.
/// </remarks>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public virtual void AppAttemptStartContainer(NMTokenIdentifier identifier)
{
lock (this)
{
ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId();
if (!appToAppAttemptMap.Contains(appAttemptId.GetApplicationId()))
{
// First application attempt for the given application
appToAppAttemptMap[appAttemptId.GetApplicationId()] = new AList <ApplicationAttemptId
>();
}
MasterKeyData oldKey = oldMasterKeys[appAttemptId];
if (oldKey == null)
{
// This is a new application attempt.
appToAppAttemptMap[appAttemptId.GetApplicationId()].AddItem(appAttemptId);
}
if (oldKey == null || oldKey.GetMasterKey().GetKeyId() != identifier.GetKeyId())
{
// Update key only if it is modified.
Log.Debug("NMToken key updated for application attempt : " + identifier.GetApplicationAttemptId
().ToString());
if (identifier.GetKeyId() == currentMasterKey.GetMasterKey().GetKeyId())
{
UpdateAppAttemptKey(appAttemptId, currentMasterKey);
}
else
{
if (previousMasterKey != null && identifier.GetKeyId() == previousMasterKey.GetMasterKey
().GetKeyId())
{
UpdateAppAttemptKey(appAttemptId, previousMasterKey);
}
else
{
throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container."
);
}
}
}
}
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual AllocateResponse Allocate(AllocateRequest request)
{
AMRMTokenIdentifier amrmTokenIdentifier = AuthorizeRequest();
ApplicationAttemptId appAttemptId = amrmTokenIdentifier.GetApplicationAttemptId();
ApplicationId applicationId = appAttemptId.GetApplicationId();
this.amLivelinessMonitor.ReceivedPing(appAttemptId);
/* check if its in cache */
ApplicationMasterService.AllocateResponseLock Lock = responseMap[appAttemptId];
if (Lock == null)
{
string message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache.";
Log.Error(message);
throw new ApplicationAttemptNotFoundException(message);
}
lock (Lock)
{
AllocateResponse lastResponse = Lock.GetAllocateResponse();
if (!HasApplicationMasterRegistered(appAttemptId))
{
string message = "AM is not registered for known application attempt: " + appAttemptId
+ " or RM had restarted after AM registered . AM should re-register.";
Log.Info(message);
RMAuditLogger.LogFailure(this.rmContext.GetRMApps()[appAttemptId.GetApplicationId
()].GetUser(), RMAuditLogger.AuditConstants.AmAllocate, string.Empty, "ApplicationMasterService"
, message, applicationId, appAttemptId);
throw new ApplicationMasterNotRegisteredException(message);
}
if ((request.GetResponseId() + 1) == lastResponse.GetResponseId())
{
/* old heartbeat */
return(lastResponse);
}
else
{
if (request.GetResponseId() + 1 < lastResponse.GetResponseId())
{
string message = "Invalid responseId in AllocateRequest from application attempt: "
+ appAttemptId + ", expect responseId to be " + (lastResponse.GetResponseId() +
1);
throw new InvalidApplicationMasterRequestException(message);
}
}
//filter illegal progress values
float filteredProgress = request.GetProgress();
if (float.IsNaN(filteredProgress) || filteredProgress == float.NegativeInfinity ||
filteredProgress < 0)
{
request.SetProgress(0);
}
else
{
if (filteredProgress > 1 || filteredProgress == float.PositiveInfinity)
{
request.SetProgress(1);
}
}
// Send the status update to the appAttempt.
this.rmContext.GetDispatcher().GetEventHandler().Handle(new RMAppAttemptStatusupdateEvent
(appAttemptId, request.GetProgress()));
IList <ResourceRequest> ask = request.GetAskList();
IList <ContainerId> release = request.GetReleaseList();
ResourceBlacklistRequest blacklistRequest = request.GetResourceBlacklistRequest();
IList <string> blacklistAdditions = (blacklistRequest != null) ? blacklistRequest.
GetBlacklistAdditions() : Sharpen.Collections.EmptyList;
IList <string> blacklistRemovals = (blacklistRequest != null) ? blacklistRequest.GetBlacklistRemovals
() : Sharpen.Collections.EmptyList;
RMApp app = this.rmContext.GetRMApps()[applicationId];
// set label expression for Resource Requests if resourceName=ANY
ApplicationSubmissionContext asc = app.GetApplicationSubmissionContext();
foreach (ResourceRequest req in ask)
{
if (null == req.GetNodeLabelExpression() && ResourceRequest.Any.Equals(req.GetResourceName
()))
{
req.SetNodeLabelExpression(asc.GetNodeLabelExpression());
}
}
// sanity check
try
{
RMServerUtils.NormalizeAndValidateRequests(ask, rScheduler.GetMaximumResourceCapability
(), app.GetQueue(), rScheduler, rmContext);
}
catch (InvalidResourceRequestException e)
{
Log.Warn("Invalid resource ask by application " + appAttemptId, e);
throw;
}
try
{
RMServerUtils.ValidateBlacklistRequest(blacklistRequest);
}
catch (InvalidResourceBlacklistRequestException e)
{
Log.Warn("Invalid blacklist request by application " + appAttemptId, e);
throw;
}
// In the case of work-preserving AM restart, it's possible for the
// AM to release containers from the earlier attempt.
if (!app.GetApplicationSubmissionContext().GetKeepContainersAcrossApplicationAttempts
())
{
try
{
RMServerUtils.ValidateContainerReleaseRequest(release, appAttemptId);
}
catch (InvalidContainerReleaseException e)
{
Log.Warn("Invalid container release by application " + appAttemptId, e);
throw;
}
}
// Send new requests to appAttempt.
Allocation allocation = this.rScheduler.Allocate(appAttemptId, ask, release, blacklistAdditions
, blacklistRemovals);
if (!blacklistAdditions.IsEmpty() || !blacklistRemovals.IsEmpty())
{
Log.Info("blacklist are updated in Scheduler." + "blacklistAdditions: " + blacklistAdditions
+ ", " + "blacklistRemovals: " + blacklistRemovals);
}
RMAppAttempt appAttempt = app.GetRMAppAttempt(appAttemptId);
AllocateResponse allocateResponse = recordFactory.NewRecordInstance <AllocateResponse
>();
if (!allocation.GetContainers().IsEmpty())
{
allocateResponse.SetNMTokens(allocation.GetNMTokens());
}
// update the response with the deltas of node status changes
IList <RMNode> updatedNodes = new AList <RMNode>();
if (app.PullRMNodeUpdates(updatedNodes) > 0)
{
IList <NodeReport> updatedNodeReports = new AList <NodeReport>();
foreach (RMNode rmNode in updatedNodes)
{
SchedulerNodeReport schedulerNodeReport = rScheduler.GetNodeReport(rmNode.GetNodeID
());
Resource used = BuilderUtils.NewResource(0, 0);
int numContainers = 0;
if (schedulerNodeReport != null)
{
used = schedulerNodeReport.GetUsedResource();
numContainers = schedulerNodeReport.GetNumContainers();
}
NodeId nodeId = rmNode.GetNodeID();
NodeReport report = BuilderUtils.NewNodeReport(nodeId, rmNode.GetState(), rmNode.
GetHttpAddress(), rmNode.GetRackName(), used, rmNode.GetTotalCapability(), numContainers
, rmNode.GetHealthReport(), rmNode.GetLastHealthReportTime(), rmNode.GetNodeLabels
());
updatedNodeReports.AddItem(report);
}
allocateResponse.SetUpdatedNodes(updatedNodeReports);
}
allocateResponse.SetAllocatedContainers(allocation.GetContainers());
allocateResponse.SetCompletedContainersStatuses(appAttempt.PullJustFinishedContainers
());
allocateResponse.SetResponseId(lastResponse.GetResponseId() + 1);
allocateResponse.SetAvailableResources(allocation.GetResourceLimit());
allocateResponse.SetNumClusterNodes(this.rScheduler.GetNumClusterNodes());
// add preemption to the allocateResponse message (if any)
allocateResponse.SetPreemptionMessage(GeneratePreemptionMessage(allocation));
// update AMRMToken if the token is rolled-up
MasterKeyData nextMasterKey = this.rmContext.GetAMRMTokenSecretManager().GetNextMasterKeyData
();
if (nextMasterKey != null && nextMasterKey.GetMasterKey().GetKeyId() != amrmTokenIdentifier
.GetKeyId())
{
RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl)appAttempt;
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = appAttempt
.GetAMRMToken();
if (nextMasterKey.GetMasterKey().GetKeyId() != appAttemptImpl.GetAMRMTokenKeyId())
{
Log.Info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: "
+ applicationId);
amrmToken = rmContext.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(appAttemptId
);
appAttemptImpl.SetAMRMToken(amrmToken);
}
allocateResponse.SetAMRMToken(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance
(amrmToken.GetIdentifier(), amrmToken.GetKind().ToString(), amrmToken.GetPassword
(), amrmToken.GetService().ToString()));
}
/*
* As we are updating the response inside the lock object so we don't
* need to worry about unregister call occurring in between (which
* removes the lock object).
*/
Lock.SetAllocateResponse(allocateResponse);
return(allocateResponse);
}
}
