/// <exception cref="System.IO.IOException"/> private NMTokenIdentifier GetNMTokenId(Org.Apache.Hadoop.Yarn.Api.Records.Token token ) { Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> convertedToken = ConverterUtils .ConvertFromYarn(token, (Text)null); return(convertedToken.DecodeIdentifier()); }
// Get the delegation token directly as it is a little difficult to setup // the kerberos based rpc. /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private Org.Apache.Hadoop.Yarn.Api.Records.Token GetDelegationToken(UserGroupInformation loggedInUser, ApplicationClientProtocol clientRMService, string renewerString) { Org.Apache.Hadoop.Yarn.Api.Records.Token token = loggedInUser.DoAs(new _PrivilegedExceptionAction_405 (renewerString, clientRMService)); return(token); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private long RenewDelegationToken(UserGroupInformation loggedInUser, ApplicationClientProtocol clientRMService, Org.Apache.Hadoop.Yarn.Api.Records.Token dToken) { long nextExpTime = loggedInUser.DoAs(new _PrivilegedExceptionAction_423(dToken, clientRMService )); return(nextExpTime); }
/// <exception cref="System.IO.IOException"/> public static ContainerTokenIdentifier NewContainerTokenIdentifier(Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken) { Org.Apache.Hadoop.Security.Token.Token <ContainerTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <ContainerTokenIdentifier>(((byte[])containerToken.GetIdentifier().Array()), ((byte [])containerToken.GetPassword().Array()), new Text(containerToken.GetKind()), new Text(containerToken.GetService())); return(token.DecodeIdentifier()); }
/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary> /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> private void TestContainerTokenWithEpoch(Configuration conf) { Log.Info("Running test for serializing/deserializing containerIds"); NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager ().GetRMContext().GetNMTokenSecretManager(); ApplicationId appId = ApplicationId.NewInstance(1, 1); ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0); ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L); NodeManager nm = yarnCluster.GetNodeManager(0); NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager (); string user = "******"; WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm); NodeId nodeId = nm.GetNMContext().GetNodeId(); // Both id should be equal. NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId (), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId()); // Creating a normal Container Token RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager ().GetRMContext().GetContainerTokenSecretManager(); Resource r = Resource.NewInstance(1230, 2); Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager .CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( ); byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array()); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); containerTokenIdentifier.ReadFields(dib); NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID()); NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID ().ToString()); Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken (appAttemptId, nodeId, user); YarnRPC rpc = YarnRPC.Create(conf); TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false); IList <ContainerId> containerIds = new List <ContainerId>(); containerIds.AddItem(cId); ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken , nodeId, user); GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest .NewInstance(containerIds)); NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]); NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId ()); NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId ().ToString()); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public override Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> GetAMRMToken (ApplicationId appId) { Org.Apache.Hadoop.Yarn.Api.Records.Token token = GetApplicationReport(appId).GetAMRMToken (); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = null; if (token != null) { amrmToken = ConverterUtils.ConvertFromYarn(token, (Text)null); } return(amrmToken); }
public static Org.Apache.Hadoop.Yarn.Api.Records.Token NewContainerToken(NodeId nodeId , byte[] password, ContainerTokenIdentifier tokenIdentifier) { // RPC layer client expects ip:port as service for tokens IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort ()); // NOTE: use SecurityUtil.setTokenService if this becomes a "real" token Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(tokenIdentifier.GetBytes(), ContainerTokenIdentifier.Kind.ToString( ), password, SecurityUtil.BuildTokenService(addr).ToString()); return(containerToken); }
/// <summary>Convert a protobuf token into a rpc token and set its service.</summary> /// <param name="protoToken">the yarn token</param> /// <param name="service">the service for the token</param> public static Org.Apache.Hadoop.Security.Token.Token <T> ConvertFromYarn <T>(Org.Apache.Hadoop.Yarn.Api.Records.Token protoToken, Text service) where T : TokenIdentifier { Org.Apache.Hadoop.Security.Token.Token <T> token = new Org.Apache.Hadoop.Security.Token.Token <T>(((byte[])protoToken.GetIdentifier().Array()), ((byte[])protoToken.GetPassword ().Array()), new Text(protoToken.GetKind()), new Text(protoToken.GetService())); if (service != null) { token.SetService(service); } return(token); }
public static Org.Apache.Hadoop.Yarn.Api.Records.Token NewInstance(byte[] password , NMTokenIdentifier identifier) { NodeId nodeId = identifier.GetNodeId(); // RPC layer client expects ip:port as service for tokens IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort ()); Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(identifier.GetBytes(), NMTokenIdentifier.Kind.ToString(), password, SecurityUtil.BuildTokenService(addr).ToString()); return(nmToken); }
/// <exception cref="System.IO.IOException"/> private ContainerTokenIdentifier GetContainerTokenIdentifierFromToken(Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken) { ContainerTokenIdentifier containerTokenIdentifier; containerTokenIdentifier = new ContainerTokenIdentifier(); byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array()); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); containerTokenIdentifier.ReadFields(dib); return(containerTokenIdentifier); }
/// <exception cref="System.IO.IOException"/> private static ContainerTokenIdentifier CreateContainerTokenId(ContainerId cid, NodeId nodeId, string user, NMContainerTokenSecretManager secretMgr) { long rmid = cid.GetApplicationAttemptId().GetApplicationId().GetClusterTimestamp( ); ContainerTokenIdentifier ctid = new ContainerTokenIdentifier(cid, nodeId.ToString (), user, BuilderUtils.NewResource(1024, 1), Runtime.CurrentTimeMillis() + 100000L , secretMgr.GetCurrentKey().GetKeyId(), rmid, Priority.NewInstance(0), 0); Org.Apache.Hadoop.Yarn.Api.Records.Token token = BuilderUtils.NewContainerToken(nodeId , secretMgr.CreatePassword(ctid), ctid); return(BuilderUtils.NewContainerTokenIdentifier(token)); }
private ApplicationClientProtocol GetClientRMProtocolWithDT(Org.Apache.Hadoop.Yarn.Api.Records.Token token, IPEndPoint rmAddress, string user, Configuration conf) { // Maybe consider converting to Hadoop token, serialize de-serialize etc // before trying to renew the token. UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user); ugi.AddToken(ConverterUtils.ConvertFromYarn(token, rmAddress)); YarnRPC rpc = YarnRPC.Create(conf); ApplicationClientProtocol clientRMWithDT = ugi.DoAs(new _PrivilegedAction_464(rpc , rmAddress, conf)); return(clientRMWithDT); }
protected internal virtual ContainerManagementProtocol GetContainerManagementProtocolProxy (YarnRPC rpc, Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken, NodeId nodeId, string user) { ContainerManagementProtocol proxy; UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user); IPEndPoint addr = NetUtils.CreateSocketAddr(nodeId.GetHost(), nodeId.GetPort()); if (nmToken != null) { ugi.AddToken(ConverterUtils.ConvertFromYarn(nmToken, addr)); } proxy = NMProxy.CreateNMProxy <ContainerManagementProtocol>(conf, ugi, rpc, addr); return(proxy); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> /// <exception cref="System.IO.IOException"/> public virtual AllocateResponse Allocate(AllocateRequest request) { NUnit.Framework.Assert.AreEqual("response ID mismatch", responseId, request.GetResponseId ()); ++responseId; Org.Apache.Hadoop.Yarn.Api.Records.Token yarnToken = null; if (amToken != null) { yarnToken = Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(amToken.GetIdentifier (), amToken.GetKind().ToString(), amToken.GetPassword(), amToken.GetService().ToString ()); } return(AllocateResponse.NewInstance(responseId, Collections.EmptyList <ContainerStatus >(), Collections.EmptyList <Container>(), Collections.EmptyList <NodeReport>(), Resources .None(), null, 1, null, Collections.EmptyList <NMToken>(), yarnToken, Collections .EmptyList <ContainerResourceIncrease>(), Collections.EmptyList <ContainerResourceDecrease >())); }
public GetDelegationTokenResponse Answer(InvocationOnMock invocation) { GetDelegationTokenRequest request = (GetDelegationTokenRequest)invocation.GetArguments ()[0]; NUnit.Framework.Assert.AreEqual(masterPrincipal, request.GetRenewer()); Org.Apache.Hadoop.Yarn.Api.Records.Token token = TestYARNRunner.recordFactory.NewRecordInstance <Org.Apache.Hadoop.Yarn.Api.Records.Token>(); token.SetKind(string.Empty); token.SetService(string.Empty); token.SetIdentifier(ByteBuffer.Allocate(0)); token.SetPassword(ByteBuffer.Allocate(0)); GetDelegationTokenResponse tokenResponse = TestYARNRunner.recordFactory.NewRecordInstance <GetDelegationTokenResponse>(); tokenResponse.SetDelegationToken(token); return(tokenResponse); }
/// <exception cref="System.Exception"/> public virtual void TestGetHSDelegationToken() { try { Configuration conf = new Configuration(); // Setup mock service IPEndPoint mockRmAddress = new IPEndPoint("localhost", 4444); Text rmTokenSevice = SecurityUtil.BuildTokenService(mockRmAddress); IPEndPoint mockHsAddress = new IPEndPoint("localhost", 9200); Text hsTokenSevice = SecurityUtil.BuildTokenService(mockHsAddress); // Setup mock rm token RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), new Text("real")); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.GetKind( ), rmTokenSevice); token.SetKind(RMDelegationTokenIdentifier.KindName); // Setup mock history token Org.Apache.Hadoop.Yarn.Api.Records.Token historyToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(new byte[0], MRDelegationTokenIdentifier.KindName.ToString(), new byte [0], hsTokenSevice.ToString()); GetDelegationTokenResponse getDtResponse = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetDelegationTokenResponse>(); getDtResponse.SetDelegationToken(historyToken); // mock services MRClientProtocol mockHsProxy = Org.Mockito.Mockito.Mock <MRClientProtocol>(); Org.Mockito.Mockito.DoReturn(mockHsAddress).When(mockHsProxy).GetConnectAddress(); Org.Mockito.Mockito.DoReturn(getDtResponse).When(mockHsProxy).GetDelegationToken( Matchers.Any <GetDelegationTokenRequest>()); ResourceMgrDelegate rmDelegate = Org.Mockito.Mockito.Mock <ResourceMgrDelegate>(); Org.Mockito.Mockito.DoReturn(rmTokenSevice).When(rmDelegate).GetRMDelegationTokenService (); ClientCache clientCache = Org.Mockito.Mockito.Mock <ClientCache>(); Org.Mockito.Mockito.DoReturn(mockHsProxy).When(clientCache).GetInitializedHSProxy (); Credentials creds = new Credentials(); YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache); // No HS token if no RM token yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No HS token if RM token, but secirity disabled. creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); creds = new Credentials(); // No HS token if no RM token, security enabled yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(0)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // HS token if RM token present, security enabled creds.AddToken(new Text("rmdt"), token); yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); // No additional call to get HS token if RM and HS token present yarnRunner.AddHistoryToken(creds); Org.Mockito.Mockito.Verify(mockHsProxy, Org.Mockito.Mockito.Times(1)).GetDelegationToken (Matchers.Any <GetDelegationTokenRequest>()); } finally { // Back to defaults. UserGroupInformation.SetConfiguration(new Configuration()); } }
public virtual void TestDelegationToken() { YarnConfiguration conf = new YarnConfiguration(); conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]"); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ResourceScheduler scheduler = CreateMockScheduler(conf); long initialInterval = 10000l; long maxLifetime = 20000l; long renewInterval = 10000l; RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager (initialInterval, maxLifetime, renewInterval); rmDtSecretManager.StartThreads(); Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval + ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval); ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this , conf, scheduler, rmDtSecretManager); clientRMService.Init(conf); clientRMService.Start(); ApplicationClientProtocol clientRMWithDT = null; try { // Create a user for the renewr and fake the authentication-method UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**" ); NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName()); // Default realm is APACHE.ORG loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos ); Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); long tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser1", conf); GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord < GetNewApplicationRequest>(); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Renew after 50% of token age. while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2) { Sharpen.Thread.Sleep(500l); } long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token); long renewalTime = Runtime.CurrentTimeMillis(); Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime); // Wait for first expiry, but before renewed expiry. while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime. CurrentTimeMillis() < nextExpTime) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); // Valid token because of renewal. try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } // Wait for expiry. while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval) { Sharpen.Thread.Sleep(500l); } Sharpen.Thread.Sleep(50l); Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid"); // Token should have expired. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token"); } catch (Exception e) { NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType ().FullName); NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired")); } // Test cancellation // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); tokenFetchTime = Runtime.CurrentTimeMillis(); Log.Info("Got delegation token at: " + tokenFetchTime); // Now try talking to RMService using the delegation token clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } CancelDelegationToken(loggedInUser, clientRMService, token); if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } // Creating a new connection. clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress( ), "loginuser2", conf); Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis()); // Verify cancellation worked. try { clientRMWithDT.GetNewApplication(request); NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token" ); } catch (IOException) { } catch (YarnException) { } // Test new version token // Stop the existing proxy, start another. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); clientRMWithDT = null; } token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName ()); byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array()); RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); tokenIdentifier.ReadFields(dib); // Construct new version RMDelegationTokenIdentifier with additional field RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest (tokenIdentifier, "message"); Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken = new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier , rmDtSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken (newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword (), newRMDTtoken.GetService().ToString()); // Now try talking to RMService using the new version delegation token clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress (), "loginuser3", conf); request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest> (); try { clientRMWithDT.GetNewApplication(request); } catch (IOException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } catch (YarnException e) { NUnit.Framework.Assert.Fail("Unexpected exception" + e); } } finally { rmDtSecretManager.StopThreads(); // TODO PRECOMMIT Close proxies. if (clientRMWithDT != null) { RPC.StopProxy(clientRMWithDT); } } }
/// <exception cref="System.Exception"/> public virtual void TestClientTokenRace() { conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol >(); StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse >(); Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest )Matchers.Any())).ThenReturn(mockResponse); DrainDispatcher dispatcher = new DrainDispatcher(); MockRM rm = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager ); rm.Start(); // Submit an app RMApp app = rm.SubmitApp(1024); // Set up a node. MockNM nm1 = rm.RegisterNode("localhost:1234", 3072); nm1.NodeHeartbeat(true); dispatcher.Await(); nm1.NodeHeartbeat(true); dispatcher.Await(); ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId(); MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app .GetCurrentAppAttempt().GetAppAttemptId()); UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString ()); RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469 (mockAM)); // Get the app-report. GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetApplicationReportRequest>(); request.SetApplicationId(app.GetApplicationId()); GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport (request); ApplicationReport appReport = reportResponse.GetApplicationReport(); Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken (); // ClientToAMToken master key should have been received on register // application master response. ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey(); NUnit.Framework.Assert.IsNotNull(clientMasterKey); NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0); // Start the AM with the correct shared-secret. ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next (); NUnit.Framework.Assert.IsNotNull(appAttemptId); TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId , null); am.Init(conf); am.Start(); // Now the real test! // Set up clients to be able to pick up correct tokens. SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo ()); Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils .ConvertFromYarn(originalClientToAMToken, am.address); // Schedule the key to be set after a significant delay Timer timer = new Timer(); TimerTask timerTask = new _TimerTask_516(am, clientMasterKey); timer.Schedule(timerTask, 250); // connect should pause waiting for the master key to arrive VerifyValidToken(conf, am, token); am.Stop(); rm.Stop(); }
public _PrivilegedExceptionAction_440(Org.Apache.Hadoop.Yarn.Api.Records.Token dToken , ApplicationClientProtocol clientRMService) { this.dToken = dToken; this.clientRMService = clientRMService; }
public static ApplicationReport NewApplicationReport(ApplicationId applicationId, ApplicationAttemptId applicationAttemptId, string user, string queue, string name , string host, int rpcPort, Org.Apache.Hadoop.Yarn.Api.Records.Token clientToAMToken , YarnApplicationState state, string diagnostics, string url, long startTime, long finishTime, FinalApplicationStatus finalStatus, ApplicationResourceUsageReport appResources, string origTrackingUrl, float progress, string appType, Org.Apache.Hadoop.Yarn.Api.Records.Token amRmToken, ICollection <string> tags) { ApplicationReport report = recordFactory.NewRecordInstance <ApplicationReport>(); report.SetApplicationId(applicationId); report.SetCurrentApplicationAttemptId(applicationAttemptId); report.SetUser(user); report.SetQueue(queue); report.SetName(name); report.SetHost(host); report.SetRpcPort(rpcPort); report.SetClientToAMToken(clientToAMToken); report.SetYarnApplicationState(state); report.SetDiagnostics(diagnostics); report.SetTrackingUrl(url); report.SetStartTime(startTime); report.SetFinishTime(finishTime); report.SetFinalApplicationStatus(finalStatus); report.SetApplicationResourceUsageReport(appResources); report.SetOriginalTrackingUrl(origTrackingUrl); report.SetProgress(progress); report.SetApplicationType(appType); report.SetAMRMToken(amRmToken); report.SetApplicationTags(tags); return(report); }
/// <summary> /// This tests a malice user getting a proper token but then messing with it by /// tampering with containerID/Resource etc.. /// </summary> /// <remarks> /// This tests a malice user getting a proper token but then messing with it by /// tampering with containerID/Resource etc.. His/her containers should be /// rejected. /// </remarks> /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> private void TestContainerToken(Configuration conf) { Log.Info("Running test for malice user"); /* * We need to check for containerToken (authorization). * Here we will be assuming that we have valid NMToken * 1) ContainerToken used is expired. * 2) ContainerToken is tampered (resource is modified). */ NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager ().GetRMContext().GetNMTokenSecretManager(); ApplicationId appId = ApplicationId.NewInstance(1, 1); ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0); ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0); NodeManager nm = yarnCluster.GetNodeManager(0); NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager (); string user = "******"; WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm); NodeId nodeId = nm.GetNMContext().GetNodeId(); // Both id should be equal. NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId (), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId()); RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager ().GetRMContext().GetContainerTokenSecretManager(); Resource r = Resource.NewInstance(1230, 2); Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager .CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0); ContainerTokenIdentifier containerTokenIdentifier = GetContainerTokenIdentifierFromToken (containerToken); // Verify new compatible version ContainerTokenIdentifier can work successfully. ContainerTokenIdentifierForTest newVersionTokenIdentifier = new ContainerTokenIdentifierForTest (containerTokenIdentifier, "message"); byte[] password = containerTokenSecretManager.CreatePassword(newVersionTokenIdentifier ); Org.Apache.Hadoop.Yarn.Api.Records.Token newContainerToken = BuilderUtils.NewContainerToken (nodeId, password, newVersionTokenIdentifier); Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken (appAttemptId, nodeId, user); YarnRPC rpc = YarnRPC.Create(conf); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, newContainerToken , nmToken, false).IsEmpty()); // Creating a tampered Container Token RMContainerTokenSecretManager tamperedContainerTokenSecretManager = new RMContainerTokenSecretManager (conf); tamperedContainerTokenSecretManager.RollMasterKey(); do { tamperedContainerTokenSecretManager.RollMasterKey(); tamperedContainerTokenSecretManager.ActivateNextMasterKey(); }while (containerTokenSecretManager.GetCurrentKey().GetKeyId() == tamperedContainerTokenSecretManager .GetCurrentKey().GetKeyId()); ContainerId cId2 = ContainerId.NewContainerId(appAttemptId, 1); // Creating modified containerToken Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken2 = tamperedContainerTokenSecretManager .CreateContainerToken(cId2, nodeId, user, r, Priority.NewInstance(0), 0); StringBuilder sb = new StringBuilder("Given Container "); sb.Append(cId2); sb.Append(" seems to have an illegally generated token."); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, containerToken2 , nmToken, true).Contains(sb.ToString())); }
public virtual void TestClientToAMTokens() { conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol >(); StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse >(); Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest )Matchers.Any())).ThenReturn(mockResponse); DrainDispatcher dispatcher = new DrainDispatcher(); MockRM rm = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager ); rm.Start(); // Submit an app RMApp app = rm.SubmitApp(1024); // Set up a node. MockNM nm1 = rm.RegisterNode("localhost:1234", 3072); nm1.NodeHeartbeat(true); dispatcher.Await(); nm1.NodeHeartbeat(true); dispatcher.Await(); ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId(); MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app .GetCurrentAppAttempt().GetAppAttemptId()); UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString ()); RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229 (mockAM)); // Get the app-report. GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetApplicationReportRequest>(); request.SetApplicationId(app.GetApplicationId()); GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport (request); ApplicationReport appReport = reportResponse.GetApplicationReport(); Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken (); // ClientToAMToken master key should have been received on register // application master response. NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey()); NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array ()).Length > 0); // Start the AM with the correct shared-secret. ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next (); NUnit.Framework.Assert.IsNotNull(appAttemptId); TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId , ((byte[])response.GetClientToAMTokenMasterKey().Array())); am.Init(conf); am.Start(); // Now the real test! // Set up clients to be able to pick up correct tokens. SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo ()); // Verify denial for unauthenticated user try { TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol )RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf); client.Ping(); NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!"); } catch (Exception) { NUnit.Framework.Assert.IsFalse(am.pinged); } Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils .ConvertFromYarn(originalClientToAMToken, am.address); // Verify denial for a malicious user with tampered ID VerifyTokenWithTamperedID(conf, am, token); // Verify denial for a malicious user with tampered user-name VerifyTokenWithTamperedUserName(conf, am, token); // Now for an authenticated user VerifyValidToken(conf, am, token); // Verify for a new version token VerifyNewVersionToken(conf, am, token, rm); am.Stop(); rm.Stop(); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private void CancelDelegationToken(UserGroupInformation loggedInUser, ApplicationClientProtocol clientRMService, Org.Apache.Hadoop.Yarn.Api.Records.Token dToken) { loggedInUser.DoAs(new _PrivilegedExceptionAction_440(dToken, clientRMService)); }