// Test the DT mast key in the state-store when the mast key is being rolled. /// <exception cref="System.Exception"/> public virtual void TestRMDTMasterKeyStateOnRollingMasterKey() { MemoryRMStateStore memStore = new MemoryRMStateStore(); memStore.Init(conf); RMStateStore.RMState rmState = memStore.GetState(); IDictionary <RMDelegationTokenIdentifier, long> rmDTState = rmState.GetRMDTSecretManagerState ().GetTokenState(); ICollection <DelegationKey> rmDTMasterKeyState = rmState.GetRMDTSecretManagerState ().GetMasterKeyState(); MockRM rm1 = new TestRMDelegationTokens.MyMockRM(this, conf, memStore); rm1.Start(); // on rm start, two master keys are created. // One is created at RMDTSecretMgr.startThreads.updateCurrentKey(); // the other is created on the first run of // tokenRemoverThread.rollMasterKey() RMDelegationTokenSecretManager dtSecretManager = rm1.GetRMContext().GetRMDelegationTokenSecretManager (); // assert all master keys are saved NUnit.Framework.Assert.AreEqual(dtSecretManager.GetAllMasterKeys(), rmDTMasterKeyState ); ICollection <DelegationKey> expiringKeys = new HashSet <DelegationKey>(); Sharpen.Collections.AddAll(expiringKeys, dtSecretManager.GetAllMasterKeys()); // request to generate a RMDelegationToken GetDelegationTokenRequest request = Org.Mockito.Mockito.Mock <GetDelegationTokenRequest >(); Org.Mockito.Mockito.When(request.GetRenewer()).ThenReturn("renewer1"); GetDelegationTokenResponse response = rm1.GetClientRMService().GetDelegationToken (request); Org.Apache.Hadoop.Yarn.Api.Records.Token delegationToken = response.GetRMDelegationToken (); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token1 = ConverterUtils .ConvertFromYarn(delegationToken, (Text)null); RMDelegationTokenIdentifier dtId1 = token1.DecodeIdentifier(); // For all keys that still remain in memory, we should have them stored // in state-store also. while (((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager ).numUpdatedKeys.Get() < 3) { ((TestRMDelegationTokens.TestRMDelegationTokenSecretManager)dtSecretManager).CheckCurrentKeyInStateStore (rmDTMasterKeyState); Sharpen.Thread.Sleep(100); } // wait for token to expire and remove from state-store // rollMasterKey is called every 1 second. int count = 0; while (rmDTState.Contains(dtId1) && count < 100) { Sharpen.Thread.Sleep(100); count++; } rm1.Stop(); }
/// <exception cref="System.IO.IOException"/> public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest request) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // Verify that the connection is kerberos authenticated if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be issued only with kerberos authentication" ); } GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse >(); string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner , new Text(request.GetRenewer()), realUser); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier , this._enclosing.jhsDTSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken .GetPassword(), realJHSToken.GetService().ToString()); response.SetDelegationToken(mrDToken); return(response); }
/// <exception cref="System.IO.IOException"/> public virtual CancelDelegationTokenResponse CancelDelegationToken(CancelDelegationTokenRequest request) { if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be cancelled only with kerberos authentication" ); } Org.Apache.Hadoop.Yarn.Api.Records.Token protoToken = request.GetDelegationToken( ); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(((byte[])protoToken.GetIdentifier().Array()), ((byte [])protoToken.GetPassword().Array()), new Text(protoToken.GetKind()), new Text(protoToken .GetService())); string user = UserGroupInformation.GetCurrentUser().GetUserName(); this._enclosing.jhsDTSecretManager.CancelToken(token, user); return(Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <CancelDelegationTokenResponse >()); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> public override void Cancel <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token , Configuration conf) { Org.Apache.Hadoop.Yarn.Api.Records.Token dToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(token.GetIdentifier(), token.GetKind().ToString(), token.GetPassword (), token.GetService().ToString()); MRClientProtocol histProxy = InstantiateHistoryProxy(conf, SecurityUtil.GetTokenServiceAddr (token)); try { CancelDelegationTokenRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <CancelDelegationTokenRequest>(); request.SetDelegationToken(dToken); histProxy.CancelDelegationToken(request); } finally { StopHistoryProxy(histProxy); } }