/// <exception cref="System.Exception"/> public virtual void TestAMRMTokenSecretManagerStateStore(RMStateStoreTestBase.RMStateStoreHelper stateStoreHelper) { System.Console.Out.WriteLine("Start testing"); RMStateStore store = stateStoreHelper.GetRMStateStore(); RMStateStoreTestBase.TestDispatcher dispatcher = new RMStateStoreTestBase.TestDispatcher (); store.SetRMDispatcher(dispatcher); RMContext rmContext = Org.Mockito.Mockito.Mock <RMContext>(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); Configuration conf = new YarnConfiguration(); AMRMTokenSecretManager appTokenMgr = new AMRMTokenSecretManager(conf, rmContext); //create and save the first masterkey MasterKeyData firstMasterKeyData = appTokenMgr.CreateNewMasterKey(); AMRMTokenSecretManagerState state1 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData .GetMasterKey(), null); rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state1, false); // load state store = stateStoreHelper.GetRMStateStore(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); store.SetRMDispatcher(dispatcher); RMStateStore.RMState state = store.LoadState(); NUnit.Framework.Assert.IsNotNull(state.GetAMRMTokenSecretManagerState()); NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state.GetAMRMTokenSecretManagerState ().GetCurrentMasterKey()); NUnit.Framework.Assert.IsNull(state.GetAMRMTokenSecretManagerState().GetNextMasterKey ()); //create and save the second masterkey MasterKeyData secondMasterKeyData = appTokenMgr.CreateNewMasterKey(); AMRMTokenSecretManagerState state2 = AMRMTokenSecretManagerState.NewInstance(firstMasterKeyData .GetMasterKey(), secondMasterKeyData.GetMasterKey()); rmContext.GetStateStore().StoreOrUpdateAMRMTokenSecretManager(state2, true); // load state store = stateStoreHelper.GetRMStateStore(); Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(store); store.SetRMDispatcher(dispatcher); RMStateStore.RMState state_2 = store.LoadState(); NUnit.Framework.Assert.IsNotNull(state_2.GetAMRMTokenSecretManagerState()); NUnit.Framework.Assert.AreEqual(firstMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState ().GetCurrentMasterKey()); NUnit.Framework.Assert.AreEqual(secondMasterKeyData.GetMasterKey(), state_2.GetAMRMTokenSecretManagerState ().GetNextMasterKey()); // re-create the masterKeyData based on the recovered masterkey // should have the same secretKey appTokenMgr.Recover(state_2); NUnit.Framework.Assert.AreEqual(appTokenMgr.GetCurrnetMasterKeyData().GetSecretKey (), firstMasterKeyData.GetSecretKey()); NUnit.Framework.Assert.AreEqual(appTokenMgr.GetNextMasterKeyData().GetSecretKey() , secondMasterKeyData.GetSecretKey()); store.Close(); }
/// <summary> /// This method will be used to verify NMTokens generated by different master /// keys. /// </summary> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public override byte[] RetrievePassword(NMTokenIdentifier identifier) { lock (this) { int keyId = identifier.GetKeyId(); ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId(); /* * MasterKey used for retrieving password will be as follows. 1) By default * older saved master key will be used. 2) If identifier's master key id * matches that of previous master key id then previous key will be used. 3) * If identifier's master key id matches that of current master key id then * current key will be used. */ MasterKeyData oldMasterKey = oldMasterKeys[appAttemptId]; MasterKeyData masterKeyToUse = oldMasterKey; if (previousMasterKey != null && keyId == previousMasterKey.GetMasterKey().GetKeyId ()) { masterKeyToUse = previousMasterKey; } else { if (keyId == currentMasterKey.GetMasterKey().GetKeyId()) { masterKeyToUse = currentMasterKey; } } if (nodeId != null && !identifier.GetNodeId().Equals(nodeId)) { throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId .ToString() + " is not valid for current node manager." + "expected : " + nodeId .ToString() + " found : " + identifier.GetNodeId().ToString()); } if (masterKeyToUse != null) { byte[] password = RetrivePasswordInternal(identifier, masterKeyToUse); Log.Debug("NMToken password retrieved successfully!!"); return(password); } throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId .ToString() + " seems to have been generated illegally."); } }
private void UpdateCurrentMasterKey(MasterKeyData key) { base.currentMasterKey = key; try { stateStore.StoreContainerTokenCurrentMasterKey(key.GetMasterKey()); } catch (IOException e) { Log.Error("Unable to update current master key in state store", e); } }
private void UpdatePreviousMasterKey(MasterKeyData key) { previousMasterKey = key; try { stateStore.StoreContainerTokenPreviousMasterKey(key.GetMasterKey()); } catch (IOException e) { Log.Error("Unable to update previous master key in state store", e); } }
private void UpdateAppAttemptKey(ApplicationAttemptId attempt, MasterKeyData key) { this.oldMasterKeys[attempt] = key; try { stateStore.StoreNMTokenApplicationMasterKey(attempt, key.GetMasterKey()); } catch (IOException e) { Log.Error("Unable to store master key for application " + attempt, e); } }
/// <summary>This will be called by startContainer.</summary> /// <remarks> /// This will be called by startContainer. It will add the master key into /// the cache used for starting this container. This should be called before /// validating the startContainer request. /// </remarks> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public virtual void AppAttemptStartContainer(NMTokenIdentifier identifier) { lock (this) { ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId(); if (!appToAppAttemptMap.Contains(appAttemptId.GetApplicationId())) { // First application attempt for the given application appToAppAttemptMap[appAttemptId.GetApplicationId()] = new AList <ApplicationAttemptId >(); } MasterKeyData oldKey = oldMasterKeys[appAttemptId]; if (oldKey == null) { // This is a new application attempt. appToAppAttemptMap[appAttemptId.GetApplicationId()].AddItem(appAttemptId); } if (oldKey == null || oldKey.GetMasterKey().GetKeyId() != identifier.GetKeyId()) { // Update key only if it is modified. Log.Debug("NMToken key updated for application attempt : " + identifier.GetApplicationAttemptId ().ToString()); if (identifier.GetKeyId() == currentMasterKey.GetMasterKey().GetKeyId()) { UpdateAppAttemptKey(appAttemptId, currentMasterKey); } else { if (previousMasterKey != null && identifier.GetKeyId() == previousMasterKey.GetMasterKey ().GetKeyId()) { UpdateAppAttemptKey(appAttemptId, previousMasterKey); } else { throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container." ); } } } } }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public virtual AllocateResponse Allocate(AllocateRequest request) { AMRMTokenIdentifier amrmTokenIdentifier = AuthorizeRequest(); ApplicationAttemptId appAttemptId = amrmTokenIdentifier.GetApplicationAttemptId(); ApplicationId applicationId = appAttemptId.GetApplicationId(); this.amLivelinessMonitor.ReceivedPing(appAttemptId); /* check if its in cache */ ApplicationMasterService.AllocateResponseLock Lock = responseMap[appAttemptId]; if (Lock == null) { string message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache."; Log.Error(message); throw new ApplicationAttemptNotFoundException(message); } lock (Lock) { AllocateResponse lastResponse = Lock.GetAllocateResponse(); if (!HasApplicationMasterRegistered(appAttemptId)) { string message = "AM is not registered for known application attempt: " + appAttemptId + " or RM had restarted after AM registered . AM should re-register."; Log.Info(message); RMAuditLogger.LogFailure(this.rmContext.GetRMApps()[appAttemptId.GetApplicationId ()].GetUser(), RMAuditLogger.AuditConstants.AmAllocate, string.Empty, "ApplicationMasterService" , message, applicationId, appAttemptId); throw new ApplicationMasterNotRegisteredException(message); } if ((request.GetResponseId() + 1) == lastResponse.GetResponseId()) { /* old heartbeat */ return(lastResponse); } else { if (request.GetResponseId() + 1 < lastResponse.GetResponseId()) { string message = "Invalid responseId in AllocateRequest from application attempt: " + appAttemptId + ", expect responseId to be " + (lastResponse.GetResponseId() + 1); throw new InvalidApplicationMasterRequestException(message); } } //filter illegal progress values float filteredProgress = request.GetProgress(); if (float.IsNaN(filteredProgress) || filteredProgress == float.NegativeInfinity || filteredProgress < 0) { request.SetProgress(0); } else { if (filteredProgress > 1 || filteredProgress == float.PositiveInfinity) { request.SetProgress(1); } } // Send the status update to the appAttempt. this.rmContext.GetDispatcher().GetEventHandler().Handle(new RMAppAttemptStatusupdateEvent (appAttemptId, request.GetProgress())); IList <ResourceRequest> ask = request.GetAskList(); IList <ContainerId> release = request.GetReleaseList(); ResourceBlacklistRequest blacklistRequest = request.GetResourceBlacklistRequest(); IList <string> blacklistAdditions = (blacklistRequest != null) ? blacklistRequest. GetBlacklistAdditions() : Sharpen.Collections.EmptyList; IList <string> blacklistRemovals = (blacklistRequest != null) ? blacklistRequest.GetBlacklistRemovals () : Sharpen.Collections.EmptyList; RMApp app = this.rmContext.GetRMApps()[applicationId]; // set label expression for Resource Requests if resourceName=ANY ApplicationSubmissionContext asc = app.GetApplicationSubmissionContext(); foreach (ResourceRequest req in ask) { if (null == req.GetNodeLabelExpression() && ResourceRequest.Any.Equals(req.GetResourceName ())) { req.SetNodeLabelExpression(asc.GetNodeLabelExpression()); } } // sanity check try { RMServerUtils.NormalizeAndValidateRequests(ask, rScheduler.GetMaximumResourceCapability (), app.GetQueue(), rScheduler, rmContext); } catch (InvalidResourceRequestException e) { Log.Warn("Invalid resource ask by application " + appAttemptId, e); throw; } try { RMServerUtils.ValidateBlacklistRequest(blacklistRequest); } catch (InvalidResourceBlacklistRequestException e) { Log.Warn("Invalid blacklist request by application " + appAttemptId, e); throw; } // In the case of work-preserving AM restart, it's possible for the // AM to release containers from the earlier attempt. if (!app.GetApplicationSubmissionContext().GetKeepContainersAcrossApplicationAttempts ()) { try { RMServerUtils.ValidateContainerReleaseRequest(release, appAttemptId); } catch (InvalidContainerReleaseException e) { Log.Warn("Invalid container release by application " + appAttemptId, e); throw; } } // Send new requests to appAttempt. Allocation allocation = this.rScheduler.Allocate(appAttemptId, ask, release, blacklistAdditions , blacklistRemovals); if (!blacklistAdditions.IsEmpty() || !blacklistRemovals.IsEmpty()) { Log.Info("blacklist are updated in Scheduler." + "blacklistAdditions: " + blacklistAdditions + ", " + "blacklistRemovals: " + blacklistRemovals); } RMAppAttempt appAttempt = app.GetRMAppAttempt(appAttemptId); AllocateResponse allocateResponse = recordFactory.NewRecordInstance <AllocateResponse >(); if (!allocation.GetContainers().IsEmpty()) { allocateResponse.SetNMTokens(allocation.GetNMTokens()); } // update the response with the deltas of node status changes IList <RMNode> updatedNodes = new AList <RMNode>(); if (app.PullRMNodeUpdates(updatedNodes) > 0) { IList <NodeReport> updatedNodeReports = new AList <NodeReport>(); foreach (RMNode rmNode in updatedNodes) { SchedulerNodeReport schedulerNodeReport = rScheduler.GetNodeReport(rmNode.GetNodeID ()); Resource used = BuilderUtils.NewResource(0, 0); int numContainers = 0; if (schedulerNodeReport != null) { used = schedulerNodeReport.GetUsedResource(); numContainers = schedulerNodeReport.GetNumContainers(); } NodeId nodeId = rmNode.GetNodeID(); NodeReport report = BuilderUtils.NewNodeReport(nodeId, rmNode.GetState(), rmNode. GetHttpAddress(), rmNode.GetRackName(), used, rmNode.GetTotalCapability(), numContainers , rmNode.GetHealthReport(), rmNode.GetLastHealthReportTime(), rmNode.GetNodeLabels ()); updatedNodeReports.AddItem(report); } allocateResponse.SetUpdatedNodes(updatedNodeReports); } allocateResponse.SetAllocatedContainers(allocation.GetContainers()); allocateResponse.SetCompletedContainersStatuses(appAttempt.PullJustFinishedContainers ()); allocateResponse.SetResponseId(lastResponse.GetResponseId() + 1); allocateResponse.SetAvailableResources(allocation.GetResourceLimit()); allocateResponse.SetNumClusterNodes(this.rScheduler.GetNumClusterNodes()); // add preemption to the allocateResponse message (if any) allocateResponse.SetPreemptionMessage(GeneratePreemptionMessage(allocation)); // update AMRMToken if the token is rolled-up MasterKeyData nextMasterKey = this.rmContext.GetAMRMTokenSecretManager().GetNextMasterKeyData (); if (nextMasterKey != null && nextMasterKey.GetMasterKey().GetKeyId() != amrmTokenIdentifier .GetKeyId()) { RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl)appAttempt; Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = appAttempt .GetAMRMToken(); if (nextMasterKey.GetMasterKey().GetKeyId() != appAttemptImpl.GetAMRMTokenKeyId()) { Log.Info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: " + applicationId); amrmToken = rmContext.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(appAttemptId ); appAttemptImpl.SetAMRMToken(amrmToken); } allocateResponse.SetAMRMToken(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance (amrmToken.GetIdentifier(), amrmToken.GetKind().ToString(), amrmToken.GetPassword (), amrmToken.GetService().ToString())); } /* * As we are updating the response inside the lock object so we don't * need to worry about unregister call occurring in between (which * removes the lock object). */ Lock.SetAllocateResponse(allocateResponse); return(allocateResponse); } }