public NMTokenIdentifierNewForTest(NMTokenIdentifier tokenIdentifier, string message ) { builder = YarnSecurityTestTokenProtos.NMTokenIdentifierNewProto.NewBuilder(); builder.SetAppAttemptId(tokenIdentifier.GetProto().GetAppAttemptId()); builder.SetNodeId(tokenIdentifier.GetProto().GetNodeId()); builder.SetAppSubmitter(tokenIdentifier.GetApplicationSubmitter()); builder.SetKeyId(tokenIdentifier.GetKeyId()); builder.SetMessage(message); proto = ((YarnSecurityTestTokenProtos.NMTokenIdentifierNewProto)builder.Build()); builder = null; }
/// <summary> /// This method will be used to verify NMTokens generated by different master /// keys. /// </summary> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public override byte[] RetrievePassword(NMTokenIdentifier identifier) { lock (this) { int keyId = identifier.GetKeyId(); ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId(); /* * MasterKey used for retrieving password will be as follows. 1) By default * older saved master key will be used. 2) If identifier's master key id * matches that of previous master key id then previous key will be used. 3) * If identifier's master key id matches that of current master key id then * current key will be used. */ MasterKeyData oldMasterKey = oldMasterKeys[appAttemptId]; MasterKeyData masterKeyToUse = oldMasterKey; if (previousMasterKey != null && keyId == previousMasterKey.GetMasterKey().GetKeyId ()) { masterKeyToUse = previousMasterKey; } else { if (keyId == currentMasterKey.GetMasterKey().GetKeyId()) { masterKeyToUse = currentMasterKey; } } if (nodeId != null && !identifier.GetNodeId().Equals(nodeId)) { throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId .ToString() + " is not valid for current node manager." + "expected : " + nodeId .ToString() + " found : " + identifier.GetNodeId().ToString()); } if (masterKeyToUse != null) { byte[] password = RetrivePasswordInternal(identifier, masterKeyToUse); Log.Debug("NMToken password retrieved successfully!!"); return(password); } throw new SecretManager.InvalidToken("Given NMToken for application : " + appAttemptId .ToString() + " seems to have been generated illegally."); } }
/// <summary>This will be called by startContainer.</summary> /// <remarks> /// This will be called by startContainer. It will add the master key into /// the cache used for starting this container. This should be called before /// validating the startContainer request. /// </remarks> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public virtual void AppAttemptStartContainer(NMTokenIdentifier identifier) { lock (this) { ApplicationAttemptId appAttemptId = identifier.GetApplicationAttemptId(); if (!appToAppAttemptMap.Contains(appAttemptId.GetApplicationId())) { // First application attempt for the given application appToAppAttemptMap[appAttemptId.GetApplicationId()] = new AList <ApplicationAttemptId >(); } MasterKeyData oldKey = oldMasterKeys[appAttemptId]; if (oldKey == null) { // This is a new application attempt. appToAppAttemptMap[appAttemptId.GetApplicationId()].AddItem(appAttemptId); } if (oldKey == null || oldKey.GetMasterKey().GetKeyId() != identifier.GetKeyId()) { // Update key only if it is modified. Log.Debug("NMToken key updated for application attempt : " + identifier.GetApplicationAttemptId ().ToString()); if (identifier.GetKeyId() == currentMasterKey.GetMasterKey().GetKeyId()) { UpdateAppAttemptKey(appAttemptId, currentMasterKey); } else { if (previousMasterKey != null && identifier.GetKeyId() == previousMasterKey.GetMasterKey ().GetKeyId()) { UpdateAppAttemptKey(appAttemptId, previousMasterKey); } else { throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container." ); } } } } }