/// <exception cref="System.Exception"/> public virtual void TestHAUtilClonesDelegationTokens() { Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test"); URI haUri = new URI("hdfs://my-ha-uri/"); token.SetService(HAUtil.BuildTokenServiceForLogicalUri(haUri, HdfsConstants.HdfsUriScheme )); ugi.AddToken(token); ICollection <IPEndPoint> nnAddrs = new HashSet <IPEndPoint>(); nnAddrs.AddItem(new IPEndPoint("localhost", nn0.GetNameNodeAddress().Port)); nnAddrs.AddItem(new IPEndPoint("localhost", nn1.GetNameNodeAddress().Port)); HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs); ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi .GetTokens(); NUnit.Framework.Assert.AreEqual(3, tokens.Count); Log.Info("Tokens:\n" + Joiner.On("\n").Join(tokens)); DelegationTokenSelector dts = new DelegationTokenSelector(); // check that the token selected for one of the physical IPC addresses // matches the one we received foreach (IPEndPoint addr in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNotNull(token2); Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier()); Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword()); } // switch to host-based tokens, shouldn't match existing tokens SecurityUtilTestHelper.SetTokenServiceUseIp(false); foreach (IPEndPoint addr_1 in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr_1); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNull(token2); } // reclone the tokens, and see if they match now HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs); foreach (IPEndPoint addr_2 in nnAddrs) { Text ipcDtService = SecurityUtil.BuildTokenService(addr_2); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken (ipcDtService, ugi.GetTokens()); NUnit.Framework.Assert.IsNotNull(token2); Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier()); Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword()); } }
/// <summary>Add the job token of a job to cache</summary> /// <param name="jobId">the job that owns the token</param> /// <param name="token">the job token</param> public virtual void AddTokenForJob(string jobId, Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> token) { SecretKey tokenSecret = CreateSecretKey(token.GetPassword()); lock (currentJobTokens) { currentJobTokens[jobId] = tokenSecret; } }
/// <summary>Renew a delegation token.</summary> /// <param name="token">the token to renew</param> /// <param name="renewer">the full principal name of the user doing the renewal</param> /// <returns>the new expiration time</returns> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken">if the token is invalid /// </exception> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the user can't renew token /// </exception> /// <exception cref="System.IO.IOException"/> public virtual long RenewToken(Org.Apache.Hadoop.Security.Token.Token <TokenIdent> token, string renewer) { lock (this) { ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier()); DataInputStream @in = new DataInputStream(buf); TokenIdent id = CreateIdentifier(); id.ReadFields(@in); Log.Info("Token renewal for identifier: " + id + "; total currentTokens " + currentTokens .Count); long now = Time.Now(); if (id.GetMaxDate() < now) { throw new SecretManager.InvalidToken(renewer + " tried to renew an expired token" ); } if ((id.GetRenewer() == null) || (id.GetRenewer().ToString().IsEmpty())) { throw new AccessControlException(renewer + " tried to renew a token without a renewer" ); } if (!id.GetRenewer().ToString().Equals(renewer)) { throw new AccessControlException(renewer + " tries to renew a token with renewer " + id.GetRenewer()); } DelegationKey key = GetDelegationKey(id.GetMasterKeyId()); if (key == null) { throw new SecretManager.InvalidToken("Unable to find master key for keyId=" + id. GetMasterKeyId() + " from cache. Failed to renew an unexpired token" + " with sequenceNumber=" + id.GetSequenceNumber()); } byte[] password = CreatePassword(token.GetIdentifier(), key.GetKey()); if (!Arrays.Equals(password, token.GetPassword())) { throw new AccessControlException(renewer + " is trying to renew a token with wrong password" ); } long renewTime = Math.Min(id.GetMaxDate(), now + tokenRenewInterval); string trackingId = GetTrackingIdIfEnabled(id); AbstractDelegationTokenSecretManager.DelegationTokenInformation info = new AbstractDelegationTokenSecretManager.DelegationTokenInformation (renewTime, password, trackingId); if (GetTokenInfo(id) == null) { throw new SecretManager.InvalidToken("Renewal request for unknown token"); } UpdateToken(id, info); return(renewTime); } }
public virtual void TestAMRMTokenUpdate() { Configuration conf = new Configuration(); ApplicationAttemptId attemptId = ApplicationAttemptId.NewInstance(ApplicationId.NewInstance (1, 1), 1); AMRMTokenIdentifier oldTokenId = new AMRMTokenIdentifier(attemptId, 1); AMRMTokenIdentifier newTokenId = new AMRMTokenIdentifier(attemptId, 2); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = new Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier>(oldTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("oldpassword" ), oldTokenId.GetKind(), new Text()); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> newToken = new Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier>(newTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("newpassword" ), newTokenId.GetKind(), new Text()); TestLocalContainerAllocator.MockScheduler scheduler = new TestLocalContainerAllocator.MockScheduler (); scheduler.amToken = newToken; LocalContainerAllocator lca = new TestLocalContainerAllocator.StubbedLocalContainerAllocator (scheduler); lca.Init(conf); lca.Start(); UserGroupInformation testUgi = UserGroupInformation.CreateUserForTesting("someuser" , new string[0]); testUgi.AddToken(oldToken); testUgi.DoAs(new _PrivilegedExceptionAction_144(lca)); lca.Close(); // verify there is only one AMRM token in the UGI and it matches the // updated token from the RM int tokenCount = 0; Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> ugiToken = null; foreach (Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token in testUgi .GetTokens()) { if (AMRMTokenIdentifier.KindName.Equals(token.GetKind())) { ugiToken = token; ++tokenCount; } } NUnit.Framework.Assert.AreEqual("too many AMRM tokens", 1, tokenCount); Assert.AssertArrayEquals("token identifier not updated", newToken.GetIdentifier() , ugiToken.GetIdentifier()); Assert.AssertArrayEquals("token password not updated", newToken.GetPassword(), ugiToken .GetPassword()); NUnit.Framework.Assert.AreEqual("AMRM token service not updated", new Text(ClientRMProxy .GetAMRMTokenService(conf)), ugiToken.GetService()); }
/// <summary>Check if access should be allowed.</summary> /// <remarks>Check if access should be allowed. userID is not checked if null</remarks> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public virtual void CheckAccess(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier > token, string userId, ExtendedBlock block, BlockTokenSecretManager.AccessMode mode) { BlockTokenIdentifier id = new BlockTokenIdentifier(); try { id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier()) )); } catch (IOException) { throw new SecretManager.InvalidToken("Unable to de-serialize block token identifier for user="******", block=" + block + ", access mode=" + mode); } CheckAccess(id, userId, block, mode); if (!Arrays.Equals(RetrievePassword(id), token.GetPassword())) { throw new SecretManager.InvalidToken("Block token with " + id.ToString() + " doesn't have the correct token password" ); } }
/// <summary> /// Test if correct exception (StandbyException or RetriableException) can be /// thrown during the NN failover. /// </summary> /// <exception cref="System.Exception"/> public virtual void TestDelegationTokenDuringNNFailover() { EditLogTailer editLogTailer = nn1.GetNamesystem().GetEditLogTailer(); // stop the editLogTailer of nn1 editLogTailer.Stop(); Configuration conf = (Configuration)Whitebox.GetInternalState(editLogTailer, "conf" ); nn1.GetNamesystem().SetEditLogTailerForTests(new TestDelegationTokensWithHA.EditLogTailerForTest (this, nn1.GetNamesystem(), conf)); // create token Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken (fs, "JobTracker"); DelegationTokenIdentifier identifier = new DelegationTokenIdentifier(); byte[] tokenId = token.GetIdentifier(); identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId))); // Ensure that it's present in the nn0 secret manager and can // be renewed directly from there. Log.Info("A valid token should have non-null password, " + "and should be renewed successfully" ); NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier )); dtSecretManager.RenewToken(token, "JobTracker"); // transition nn0 to standby cluster.TransitionToStandby(0); try { cluster.GetNameNodeRpc(0).RenewDelegationToken(token); NUnit.Framework.Assert.Fail("StandbyException is expected since nn0 is in standby state" ); } catch (StandbyException e) { GenericTestUtils.AssertExceptionContains(HAServiceProtocol.HAServiceState.Standby .ToString(), e); } new _Thread_220().Start(); Sharpen.Thread.Sleep(1000); try { nn1.GetNamesystem().VerifyToken(token.DecodeIdentifier(), token.GetPassword()); NUnit.Framework.Assert.Fail("RetriableException/StandbyException is expected since nn1 is in transition" ); } catch (IOException e) { NUnit.Framework.Assert.IsTrue(e is StandbyException || e is RetriableException); Log.Info("Got expected exception", e); } catchup = true; lock (this) { Sharpen.Runtime.NotifyAll(this); } Configuration clientConf = dfs.GetConf(); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew ); DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel ); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public virtual AllocateResponse Allocate(AllocateRequest request) { NUnit.Framework.Assert.AreEqual("response ID mismatch", responseId, request.GetResponseId ()); ++responseId; Org.Apache.Hadoop.Yarn.Api.Records.Token yarnToken = null; if (amToken != null) { yarnToken = Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(amToken.GetIdentifier (), amToken.GetKind().ToString(), amToken.GetPassword(), amToken.GetService().ToString ()); } return(AllocateResponse.NewInstance(responseId, Collections.EmptyList <ContainerStatus >(), Collections.EmptyList <Container>(), Collections.EmptyList <NodeReport>(), Resources .None(), null, 1, null, Collections.EmptyList <NMToken>(), yarnToken, Collections .EmptyList <ContainerResourceIncrease>(), Collections.EmptyList <ContainerResourceDecrease >())); }
private static Org.Apache.Hadoop.Yarn.Api.Records.Token ConvertToProtoToken <_T0>( Org.Apache.Hadoop.Security.Token.Token <_T0> token) where _T0 : TokenIdentifier { return(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(token.GetIdentifier() , token.GetKind().ToString(), token.GetPassword(), token.GetService().ToString() )); }
private void VerifyTamperedToken(Configuration conf, TestClientToAMTokens.CustomAM am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, UserGroupInformation ugi, ClientToAMTokenIdentifier maliciousID) { Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> maliciousToken = new Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(maliciousID .GetBytes(), token.GetPassword(), token.GetKind(), token.GetService()); ugi.AddToken(maliciousToken); try { ugi.DoAs(new _PrivilegedExceptionAction_338(am, conf)); } catch (Exception e) { NUnit.Framework.Assert.AreEqual(typeof(RemoteException).FullName, e.GetType().FullName ); e = ((RemoteException)e).UnwrapRemoteException(); NUnit.Framework.Assert.AreEqual(typeof(SaslException).GetCanonicalName(), e.GetType ().GetCanonicalName()); NUnit.Framework.Assert.IsTrue(e.Message.Contains("DIGEST-MD5: digest response format violation. " + "Mismatched response.")); NUnit.Framework.Assert.IsFalse(am.pinged); } }
public SaslClientCallbackHandler(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier > token) { this.userName = SaslRpcServer.EncodeIdentifier(token.GetIdentifier()); this.userPassword = SaslRpcServer.EncodePassword(token.GetPassword()); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> public override void Cancel <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token , Configuration conf) { Org.Apache.Hadoop.Yarn.Api.Records.Token dToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(token.GetIdentifier(), token.GetKind().ToString(), token.GetPassword (), token.GetService().ToString()); MRClientProtocol histProxy = InstantiateHistoryProxy(conf, SecurityUtil.GetTokenServiceAddr (token)); try { CancelDelegationTokenRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <CancelDelegationTokenRequest>(); request.SetDelegationToken(dToken); histProxy.CancelDelegationToken(request); } finally { StopHistoryProxy(histProxy); } }
public virtual void TestDelegationToken() { YarnConfiguration conf = new YarnConfiguration(); conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]"); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ResourceScheduler scheduler = CreateMockScheduler(conf); long initialInterval = 10000l; long maxLifetime = 20000l; long renewInterval = 10000l; RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager (initialInterval, maxLifetime, renewInterval); rmDtSecretManager.StartThreads(); Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval + ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval); ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this , conf, scheduler, rmDtSecretManager); clientRMService.Init(conf); clientRMService.Start(); ApplicationClientProtocol clientRMWithDT = null; try { // Create a user for the renewr and fake the authentication-method UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**" ); NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName()); // Default realm is APACHE.ORG loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos ); Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); long tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser1", conf); GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord < GetNewApplicationRequest>(); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Renew after 50% of token age. while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2) { Sharpen.Thread.Sleep(500l); } long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token); long renewalTime = Runtime.CurrentTimeMillis(); Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime); // Wait for first expiry, but before renewed expiry. while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime. CurrentTimeMillis() < nextExpTime) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); // Valid token because of renewal. try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Wait for expiry. while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid"); // Token should have expired. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token"); } catch (Exception e) { NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType ().FullName); NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired")); } // Test cancellation // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } CancelDelegationToken(loggedInUser, clientRMService, token); if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } // Creating a new connection. clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis()); // Verify cancellation worked. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token" ); } catch (IOException) { } catch (YarnException) { } // Test new version token // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array()); RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); tokenIdentifier.ReadFields(dib); // Construct new version RMDelegationTokenIdentifier with additional field RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest (tokenIdentifier, "message"); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier , rmDtSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken (newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword (), newRMDTtoken.GetService().ToString()); // Now try talking to RMService using the new version delegation token clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress (), "loginuser3", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } } finally { rmDtSecretManager.StopThreads(); // TODO PRECOMMIT Close proxies. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); } } }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public virtual AllocateResponse Allocate(AllocateRequest request) { AMRMTokenIdentifier amrmTokenIdentifier = AuthorizeRequest(); ApplicationAttemptId appAttemptId = amrmTokenIdentifier.GetApplicationAttemptId(); ApplicationId applicationId = appAttemptId.GetApplicationId(); this.amLivelinessMonitor.ReceivedPing(appAttemptId); /* check if its in cache */ ApplicationMasterService.AllocateResponseLock Lock = responseMap[appAttemptId]; if (Lock == null) { string message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache."; Log.Error(message); throw new ApplicationAttemptNotFoundException(message); } lock (Lock) { AllocateResponse lastResponse = Lock.GetAllocateResponse(); if (!HasApplicationMasterRegistered(appAttemptId)) { string message = "AM is not registered for known application attempt: " + appAttemptId + " or RM had restarted after AM registered . AM should re-register."; Log.Info(message); RMAuditLogger.LogFailure(this.rmContext.GetRMApps()[appAttemptId.GetApplicationId ()].GetUser(), RMAuditLogger.AuditConstants.AmAllocate, string.Empty, "ApplicationMasterService" , message, applicationId, appAttemptId); throw new ApplicationMasterNotRegisteredException(message); } if ((request.GetResponseId() + 1) == lastResponse.GetResponseId()) { /* old heartbeat */ return(lastResponse); } else { if (request.GetResponseId() + 1 < lastResponse.GetResponseId()) { string message = "Invalid responseId in AllocateRequest from application attempt: " + appAttemptId + ", expect responseId to be " + (lastResponse.GetResponseId() + 1); throw new InvalidApplicationMasterRequestException(message); } } //filter illegal progress values float filteredProgress = request.GetProgress(); if (float.IsNaN(filteredProgress) || filteredProgress == float.NegativeInfinity || filteredProgress < 0) { request.SetProgress(0); } else { if (filteredProgress > 1 || filteredProgress == float.PositiveInfinity) { request.SetProgress(1); } } // Send the status update to the appAttempt. this.rmContext.GetDispatcher().GetEventHandler().Handle(new RMAppAttemptStatusupdateEvent (appAttemptId, request.GetProgress())); IList <ResourceRequest> ask = request.GetAskList(); IList <ContainerId> release = request.GetReleaseList(); ResourceBlacklistRequest blacklistRequest = request.GetResourceBlacklistRequest(); IList <string> blacklistAdditions = (blacklistRequest != null) ? blacklistRequest. GetBlacklistAdditions() : Sharpen.Collections.EmptyList; IList <string> blacklistRemovals = (blacklistRequest != null) ? blacklistRequest.GetBlacklistRemovals () : Sharpen.Collections.EmptyList; RMApp app = this.rmContext.GetRMApps()[applicationId]; // set label expression for Resource Requests if resourceName=ANY ApplicationSubmissionContext asc = app.GetApplicationSubmissionContext(); foreach (ResourceRequest req in ask) { if (null == req.GetNodeLabelExpression() && ResourceRequest.Any.Equals(req.GetResourceName ())) { req.SetNodeLabelExpression(asc.GetNodeLabelExpression()); } } // sanity check try { RMServerUtils.NormalizeAndValidateRequests(ask, rScheduler.GetMaximumResourceCapability (), app.GetQueue(), rScheduler, rmContext); } catch (InvalidResourceRequestException e) { Log.Warn("Invalid resource ask by application " + appAttemptId, e); throw; } try { RMServerUtils.ValidateBlacklistRequest(blacklistRequest); } catch (InvalidResourceBlacklistRequestException e) { Log.Warn("Invalid blacklist request by application " + appAttemptId, e); throw; } // In the case of work-preserving AM restart, it's possible for the // AM to release containers from the earlier attempt. if (!app.GetApplicationSubmissionContext().GetKeepContainersAcrossApplicationAttempts ()) { try { RMServerUtils.ValidateContainerReleaseRequest(release, appAttemptId); } catch (InvalidContainerReleaseException e) { Log.Warn("Invalid container release by application " + appAttemptId, e); throw; } } // Send new requests to appAttempt. Allocation allocation = this.rScheduler.Allocate(appAttemptId, ask, release, blacklistAdditions , blacklistRemovals); if (!blacklistAdditions.IsEmpty() || !blacklistRemovals.IsEmpty()) { Log.Info("blacklist are updated in Scheduler." + "blacklistAdditions: " + blacklistAdditions + ", " + "blacklistRemovals: " + blacklistRemovals); } RMAppAttempt appAttempt = app.GetRMAppAttempt(appAttemptId); AllocateResponse allocateResponse = recordFactory.NewRecordInstance <AllocateResponse >(); if (!allocation.GetContainers().IsEmpty()) { allocateResponse.SetNMTokens(allocation.GetNMTokens()); } // update the response with the deltas of node status changes IList <RMNode> updatedNodes = new AList <RMNode>(); if (app.PullRMNodeUpdates(updatedNodes) > 0) { IList <NodeReport> updatedNodeReports = new AList <NodeReport>(); foreach (RMNode rmNode in updatedNodes) { SchedulerNodeReport schedulerNodeReport = rScheduler.GetNodeReport(rmNode.GetNodeID ()); Resource used = BuilderUtils.NewResource(0, 0); int numContainers = 0; if (schedulerNodeReport != null) { used = schedulerNodeReport.GetUsedResource(); numContainers = schedulerNodeReport.GetNumContainers(); } NodeId nodeId = rmNode.GetNodeID(); NodeReport report = BuilderUtils.NewNodeReport(nodeId, rmNode.GetState(), rmNode. GetHttpAddress(), rmNode.GetRackName(), used, rmNode.GetTotalCapability(), numContainers , rmNode.GetHealthReport(), rmNode.GetLastHealthReportTime(), rmNode.GetNodeLabels ()); updatedNodeReports.AddItem(report); } allocateResponse.SetUpdatedNodes(updatedNodeReports); } allocateResponse.SetAllocatedContainers(allocation.GetContainers()); allocateResponse.SetCompletedContainersStatuses(appAttempt.PullJustFinishedContainers ()); allocateResponse.SetResponseId(lastResponse.GetResponseId() + 1); allocateResponse.SetAvailableResources(allocation.GetResourceLimit()); allocateResponse.SetNumClusterNodes(this.rScheduler.GetNumClusterNodes()); // add preemption to the allocateResponse message (if any) allocateResponse.SetPreemptionMessage(GeneratePreemptionMessage(allocation)); // update AMRMToken if the token is rolled-up MasterKeyData nextMasterKey = this.rmContext.GetAMRMTokenSecretManager().GetNextMasterKeyData (); if (nextMasterKey != null && nextMasterKey.GetMasterKey().GetKeyId() != amrmTokenIdentifier .GetKeyId()) { RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl)appAttempt; Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = appAttempt .GetAMRMToken(); if (nextMasterKey.GetMasterKey().GetKeyId() != appAttemptImpl.GetAMRMTokenKeyId()) { Log.Info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: " + applicationId); amrmToken = rmContext.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(appAttemptId ); appAttemptImpl.SetAMRMToken(amrmToken); } allocateResponse.SetAMRMToken(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance (amrmToken.GetIdentifier(), amrmToken.GetKind().ToString(), amrmToken.GetPassword (), amrmToken.GetService().ToString())); } /* * As we are updating the response inside the lock object so we don't * need to worry about unregister call occurring in between (which * removes the lock object). */ Lock.SetAllocateResponse(allocateResponse); return(allocateResponse); } }