public ClientRMServiceForTest(TestClientRMTokens _enclosing, Configuration conf,
ResourceScheduler scheduler, RMDelegationTokenSecretManager rmDTSecretManager)
: base(Org.Mockito.Mockito.Mock <RMContext>(), scheduler, Org.Mockito.Mockito.Mock
<RMAppManager>(), new ApplicationACLsManager(conf), new QueueACLsManager(scheduler
, conf), rmDTSecretManager)
{
this._enclosing = _enclosing;
}
public MyClientRMService(RMContext rmContext, YarnScheduler scheduler, RMAppManager
rmAppManager, ApplicationACLsManager applicationACLsManager, QueueACLsManager queueACLsManager
, RMDelegationTokenSecretManager rmDTSecretManager)
: base(rmContext, scheduler, rmAppManager, applicationACLsManager, queueACLsManager
, rmDTSecretManager)
{
this.rmContext = rmContext;
}
private static RMDelegationTokenSecretManager CreateRMDelegationTokenSecretManager
(long secretKeyInterval, long tokenMaxLifetime, long tokenRenewInterval)
{
RMContext rmContext = Org.Mockito.Mockito.Mock <RMContext>();
Org.Mockito.Mockito.When(rmContext.GetStateStore()).ThenReturn(new NullRMStateStore
());
RMDelegationTokenSecretManager rmDtSecretManager = new RMDelegationTokenSecretManager
(secretKeyInterval, tokenMaxLifetime, tokenRenewInterval, 3600000, rmContext);
return(rmDtSecretManager);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private void CheckShortCircuitRenewCancel(IPEndPoint rmAddr, IPEndPoint serviceAddr
, bool shouldShortCircuit)
{
Configuration conf = new Configuration();
conf.SetClass(YarnConfiguration.IpcRpcImpl, typeof(TestClientRMTokens.YarnBadRPC)
, typeof(YarnRPC));
RMDelegationTokenSecretManager secretManager = Org.Mockito.Mockito.Mock <RMDelegationTokenSecretManager
>();
RMDelegationTokenIdentifier.Renewer.SetSecretManager(secretManager, rmAddr);
RMDelegationTokenIdentifier ident = new RMDelegationTokenIdentifier(new Text("owner"
), new Text("renewer"), null);
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<RMDelegationTokenIdentifier>(ident, secretManager);
SecurityUtil.SetTokenService(token, serviceAddr);
if (shouldShortCircuit)
{
token.Renew(conf);
Org.Mockito.Mockito.Verify(secretManager).RenewToken(Matchers.Eq(token), Matchers.Eq
("renewer"));
Org.Mockito.Mockito.Reset(secretManager);
token.Cancel(conf);
Org.Mockito.Mockito.Verify(secretManager).CancelToken(Matchers.Eq(token), Matchers.Eq
("renewer"));
}
else
{
try
{
token.Renew(conf);
NUnit.Framework.Assert.Fail();
}
catch (RuntimeException e)
{
NUnit.Framework.Assert.AreEqual("getProxy", e.Message);
}
Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).RenewToken
(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString());
try
{
token.Cancel(conf);
NUnit.Framework.Assert.Fail();
}
catch (RuntimeException e)
{
NUnit.Framework.Assert.AreEqual("getProxy", e.Message);
}
Org.Mockito.Mockito.Verify(secretManager, Org.Mockito.Mockito.Never()).CancelToken
(Matchers.Any <Org.Apache.Hadoop.Security.Token.Token>(), Matchers.AnyString());
}
}
/// <summary>Construct the service.</summary>
public RMSecretManagerService(Configuration conf, RMContextImpl rmContext)
: base(typeof(Org.Apache.Hadoop.Yarn.Server.Resourcemanager.RMSecretManagerService
).FullName)
{
this.rmContext = rmContext;
// To initialize correctly, these managers should be created before
// being called serviceInit().
nmTokenSecretManager = CreateNMTokenSecretManager(conf);
rmContext.SetNMTokenSecretManager(nmTokenSecretManager);
containerTokenSecretManager = CreateContainerTokenSecretManager(conf);
rmContext.SetContainerTokenSecretManager(containerTokenSecretManager);
clientToAMSecretManager = CreateClientToAMTokenSecretManager();
rmContext.SetClientToAMTokenSecretManager(clientToAMSecretManager);
amRmTokenSecretManager = CreateAMRMTokenSecretManager(conf, this.rmContext);
rmContext.SetAMRMTokenSecretManager(amRmTokenSecretManager);
rmDTSecretManager = CreateRMDelegationTokenSecretManager(conf, rmContext);
rmContext.SetRMDelegationTokenSecretManager(rmDTSecretManager);
}
public virtual void SetRMDelegationTokenSecretManager(RMDelegationTokenSecretManager
delegationTokenSecretManager)
{
activeServiceContext.SetRMDelegationTokenSecretManager(delegationTokenSecretManager
);
}
public CustomedClientRMService(MiniYARNClusterForHATesting _enclosing, RMContext
rmContext, YarnScheduler scheduler, RMAppManager rmAppManager, ApplicationACLsManager
applicationACLsManager, QueueACLsManager queueACLsManager, RMDelegationTokenSecretManager
rmDTSecretManager)
: base(rmContext, scheduler, rmAppManager, applicationACLsManager, queueACLsManager
, rmDTSecretManager)
{
this._enclosing = _enclosing;
}
public virtual void TestDelegationToken()
{
YarnConfiguration conf = new YarnConfiguration();
conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ResourceScheduler scheduler = CreateMockScheduler(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager
(initialInterval, maxLifetime, renewInterval);
rmDtSecretManager.StartThreads();
Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval
+ ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval);
ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this
, conf, scheduler, rmDtSecretManager);
clientRMService.Init(conf);
clientRMService.Start();
ApplicationClientProtocol clientRMWithDT = null;
try
{
// Create a user for the renewr and fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
long tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser1", conf);
GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <
GetNewApplicationRequest>();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType
().FullName);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, clientRMService, token);
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
// Creating a new connection.
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
catch (YarnException)
{
}
// Test new version token
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array());
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
tokenIdentifier.ReadFields(dib);
// Construct new version RMDelegationTokenIdentifier with additional field
RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest
(tokenIdentifier, "message");
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken =
new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier
, rmDtSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken
(newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword
(), newRMDTtoken.GetService().ToString());
// Now try talking to RMService using the new version delegation token
clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress
(), "loginuser3", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
}
finally
{
rmDtSecretManager.StopThreads();
// TODO PRECOMMIT Close proxies.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
}
}
}
public _ClientRMService_541(RMContext baseArg1, YarnScheduler baseArg2, RMAppManager
baseArg3, ApplicationACLsManager baseArg4, QueueACLsManager baseArg5, RMDelegationTokenSecretManager
baseArg6)
: base(baseArg1, baseArg2, baseArg3, baseArg4, baseArg5, baseArg6)
{
}
public virtual void SetRMDelegationTokenSecretManager(RMDelegationTokenSecretManager
delegationTokenSecretManager)
{
this.rmDelegationTokenSecretManager = delegationTokenSecretManager;
}
