/// <exception cref="System.Exception"/>
private LogAggregationContext GetLogAggregationContextFromContainerToken(MockRM rm1
, MockNM nm1, LogAggregationContext logAggregationContext)
{
RMApp app2 = rm1.SubmitApp(200, logAggregationContext);
MockAM am2 = MockRM.LaunchAndRegisterAM(app2, rm1, nm1);
nm1.NodeHeartbeat(true);
// request a container.
am2.Allocate("127.0.0.1", 512, 1, new AList <ContainerId>());
ContainerId containerId = ContainerId.NewContainerId(am2.GetApplicationAttemptId(
), 2);
rm1.WaitForState(nm1, containerId, RMContainerState.Allocated);
// acquire the container.
IList <Container> containers = am2.Allocate(new AList <ResourceRequest>(), new AList
<ContainerId>()).GetAllocatedContainers();
NUnit.Framework.Assert.AreEqual(containerId, containers[0].GetId());
// container token is generated.
NUnit.Framework.Assert.IsNotNull(containers[0].GetContainerToken());
ContainerTokenIdentifier token = BuilderUtils.NewContainerTokenIdentifier(containers
[0].GetContainerToken());
return(token.GetLogAggregationContext());
}
/// <exception cref="System.IO.IOException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
StartContainerRequest request = requests.GetStartContainerRequests()[0];
ContainerTokenIdentifier containerTokenIdentifier = MRApp.NewContainerTokenIdentifier
(request.GetContainerToken());
// Validate that the container is what RM is giving.
NUnit.Framework.Assert.AreEqual(MRApp.NmHost + ":" + MRApp.NmPort, containerTokenIdentifier
.GetNmHostAddress());
StartContainersResponse response = TestContainerLauncher.recordFactory.NewRecordInstance
<StartContainersResponse>();
this.status = TestContainerLauncher.recordFactory.NewRecordInstance<ContainerStatus
>();
try
{
// make the thread sleep to look like its not going to respond
Sharpen.Thread.Sleep(15000);
}
catch (Exception e)
{
TestContainerLauncher.Log.Error(e);
throw new UndeclaredThrowableException(e);
}
this.status.SetState(ContainerState.Running);
this.status.SetContainerId(containerTokenIdentifier.GetContainerID());
this.status.SetExitStatus(0);
return response;
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public StartContainersResponse StartContainers(StartContainersRequest requests)
{
StartContainerRequest request = requests.GetStartContainerRequests()[0];
Log.Info("Container started by MyContainerManager: " + request);
launched = true;
IDictionary <string, string> env = request.GetContainerLaunchContext().GetEnvironment
();
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerId containerId = tokenId.GetContainerID();
containerIdAtContainerManager = containerId.ToString();
attemptIdAtContainerManager = containerId.GetApplicationAttemptId().ToString();
nmHostAtContainerManager = tokenId.GetNmHostAddress();
submitTimeAtContainerManager = long.Parse(env[ApplicationConstants.AppSubmitTimeEnv
]);
maxAppAttempts = System.Convert.ToInt32(env[ApplicationConstants.MaxAppAttemptsEnv
]);
return(StartContainersResponse.NewInstance(new Dictionary <string, ByteBuffer>(),
new AList <ContainerId>(), new Dictionary <ContainerId, SerializedException>()));
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
StartContainersResponse response = TestRPC.recordFactory.NewRecordInstance <StartContainersResponse
>();
foreach (StartContainerRequest request in requests.GetStartContainerRequests())
{
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = TestRPC.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerStatus status = TestRPC.recordFactory.NewRecordInstance <ContainerStatus>
();
status.SetState(ContainerState.Running);
status.SetContainerId(tokenId.GetContainerID());
status.SetExitStatus(0);
this.statuses.AddItem(status);
}
return(response);
}
internal WrappedApplication(TestApplication _enclosing, int id, long timestamp, string
user, int numContainers)
{
this._enclosing = _enclosing;
Configuration conf = new Configuration();
this.dispatcher = new DrainDispatcher();
this.containerTokenIdentifierMap = new Dictionary <ContainerId, ContainerTokenIdentifier
>();
this.dispatcher.Init(conf);
this.localizerBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.launcherBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.monitorBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.auxBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.containerBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.logAggregationBus = Org.Mockito.Mockito.Mock <EventHandler>();
this.dispatcher.Register(typeof(LocalizationEventType), this.localizerBus);
this.dispatcher.Register(typeof(ContainersLauncherEventType), this.launcherBus);
this.dispatcher.Register(typeof(ContainersMonitorEventType), this.monitorBus);
this.dispatcher.Register(typeof(AuxServicesEventType), this.auxBus);
this.dispatcher.Register(typeof(ContainerEventType), this.containerBus);
this.dispatcher.Register(typeof(LogHandlerEventType), this.logAggregationBus);
this.nmTokenSecretMgr = Org.Mockito.Mockito.Mock <NMTokenSecretManagerInNM>();
this.context = Org.Mockito.Mockito.Mock <Context>();
Org.Mockito.Mockito.When(this.context.GetContainerTokenSecretManager()).ThenReturn
(new NMContainerTokenSecretManager(conf));
Org.Mockito.Mockito.When(this.context.GetApplicationACLsManager()).ThenReturn(new
ApplicationACLsManager(conf));
Org.Mockito.Mockito.When(this.context.GetNMTokenSecretManager()).ThenReturn(this.
nmTokenSecretMgr);
// Setting master key
MasterKey masterKey = new MasterKeyPBImpl();
masterKey.SetKeyId(123);
masterKey.SetBytes(ByteBuffer.Wrap(new byte[] { (123) }));
this.context.GetContainerTokenSecretManager().SetMasterKey(masterKey);
this.user = user;
this.appId = BuilderUtils.NewApplicationId(timestamp, id);
this.app = new ApplicationImpl(this.dispatcher, this.user, this.appId, null, this
.context);
this.containers = new AList <Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container
>();
for (int i = 0; i < numContainers; i++)
{
Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container
= this._enclosing.CreateMockedContainer(this.appId, i);
this.containers.AddItem(container);
long currentTime = Runtime.CurrentTimeMillis();
ContainerTokenIdentifier identifier = new ContainerTokenIdentifier(container.GetContainerId
(), string.Empty, string.Empty, null, currentTime + 2000, masterKey.GetKeyId(),
currentTime, Priority.NewInstance(0), 0);
this.containerTokenIdentifierMap[identifier.GetContainerID()] = identifier;
this.context.GetContainerTokenSecretManager().StartContainerSuccessful(identifier
);
NUnit.Framework.Assert.IsFalse(this.context.GetContainerTokenSecretManager().IsValidStartContainerRequest
(identifier));
}
this.dispatcher.Start();
}
/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerTokenWithEpoch(Configuration conf)
{
Log.Info("Running test for serializing/deserializing containerIds");
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
// Creating a normal Container Token
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
);
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID());
NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID
().ToString());
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false);
IList <ContainerId> containerIds = new List <ContainerId>();
containerIds.AddItem(cId);
ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken
, nodeId, user);
GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest
.NewInstance(containerIds));
NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]);
NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId
());
NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId
().ToString());
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public virtual StartContainersResponse StartContainers(StartContainersRequest requests
)
{
lock (this)
{
foreach (StartContainerRequest request in requests.GetStartContainerRequests())
{
Token containerToken = request.GetContainerToken();
ContainerTokenIdentifier tokenId = null;
try
{
tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken);
}
catch (IOException e)
{
throw RPCUtil.GetRemoteException(e);
}
ContainerId containerID = tokenId.GetContainerID();
ApplicationId applicationId = containerID.GetApplicationAttemptId().GetApplicationId
();
IList <Container> applicationContainers = containers[applicationId];
if (applicationContainers == null)
{
applicationContainers = new AList <Container>();
containers[applicationId] = applicationContainers;
}
// Sanity check
foreach (Container container in applicationContainers)
{
if (container.GetId().CompareTo(containerID) == 0)
{
throw new InvalidOperationException("Container " + containerID + " already setup on node "
+ containerManagerAddress);
}
}
Container container_1 = BuilderUtils.NewContainer(containerID, this.nodeId, nodeHttpAddress
, tokenId.GetResource(), null, null);
// DKDC - Doesn't matter
ContainerStatus containerStatus = BuilderUtils.NewContainerStatus(container_1.GetId
(), ContainerState.New, string.Empty, -1000);
applicationContainers.AddItem(container_1);
containerStatusMap[container_1] = containerStatus;
Resources.SubtractFrom(available, tokenId.GetResource());
Resources.AddTo(used, tokenId.GetResource());
if (Log.IsDebugEnabled())
{
Log.Debug("startContainer:" + " node=" + containerManagerAddress + " application="
+ applicationId + " container=" + container_1 + " available=" + available + " used="
+ used);
}
}
StartContainersResponse response = StartContainersResponse.NewInstance(null, null
, null);
return(response);
}
}
/// <exception cref="System.Exception"/>
private void TestRPCTimeout(string rpcClass)
{
Configuration conf = new Configuration();
// set timeout low for the test
conf.SetInt("yarn.rpc.nm-command-timeout", 3000);
conf.Set(YarnConfiguration.IpcRpcImpl, rpcClass);
YarnRPC rpc = YarnRPC.Create(conf);
string bindAddr = "localhost:0";
IPEndPoint addr = NetUtils.CreateSocketAddr(bindAddr);
Server server = rpc.GetServer(typeof(ContainerManagementProtocol), new TestContainerLaunchRPC.DummyContainerManager
(this), addr, conf, null, 1);
server.Start();
try
{
ContainerManagementProtocol proxy = (ContainerManagementProtocol)rpc.GetProxy(typeof(
ContainerManagementProtocol), server.GetListenerAddress(), conf);
ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
>();
ApplicationId applicationId = ApplicationId.NewInstance(0, 0);
ApplicationAttemptId applicationAttemptId = ApplicationAttemptId.NewInstance(applicationId
, 0);
ContainerId containerId = ContainerId.NewContainerId(applicationAttemptId, 100);
NodeId nodeId = NodeId.NewInstance("localhost", 1234);
Resource resource = Resource.NewInstance(1234, 2);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
containerId, "localhost", "user", resource, Runtime.CurrentTimeMillis() + 10000,
42, 42, Priority.NewInstance(0), 0);
Token containerToken = TestRPC.NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString
("password"), containerTokenIdentifier);
StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
, containerToken);
IList <StartContainerRequest> list = new AList <StartContainerRequest>();
list.AddItem(scRequest);
StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);
try
{
proxy.StartContainers(allRequests);
}
catch (Exception e)
{
Log.Info(StringUtils.StringifyException(e));
NUnit.Framework.Assert.AreEqual("Error, exception is not: " + typeof(SocketTimeoutException
).FullName, typeof(SocketTimeoutException).FullName, e.GetType().FullName);
return;
}
}
finally
{
server.Stop();
}
NUnit.Framework.Assert.Fail("timeout exception should have occurred!");
}
/// <exception cref="System.IO.IOException"/>
public static Token NewContainerToken(ContainerId cId, string host, int port, string
user, Resource r, long expiryTime, int masterKeyId, byte[] password, long rmIdentifier
)
{
ContainerTokenIdentifier identifier = new ContainerTokenIdentifier(cId, host + ":"
+ port, user, r, expiryTime, masterKeyId, rmIdentifier, Priority.NewInstance(0)
, 0);
return(NewContainerToken(BuilderUtils.NewNodeId(host, port), password, identifier
));
}
public static Token NewContainerToken(NodeId nodeId, byte[] password, ContainerTokenIdentifier
tokenIdentifier)
{
// RPC layer client expects ip:port as service for tokens
IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort
());
// NOTE: use SecurityUtil.setTokenService if this becomes a "real" token
Token containerToken = NewToken <Token>(tokenIdentifier.GetBytes(), ContainerTokenIdentifier
.Kind.ToString(), password, SecurityUtil.BuildTokenService(addr).ToString());
return(containerToken);
}
/// <exception cref="System.IO.IOException"/>
private ContainerTokenIdentifier GetContainerTokenIdentifierFromToken(Org.Apache.Hadoop.Yarn.Api.Records.Token
containerToken)
{
ContainerTokenIdentifier containerTokenIdentifier;
containerTokenIdentifier = new ContainerTokenIdentifier();
byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
containerTokenIdentifier.ReadFields(dib);
return(containerTokenIdentifier);
}
/// <exception cref="System.IO.IOException"/>
public static Token CreateContainerToken(ContainerId cId, long rmIdentifier, NodeId
nodeId, string user, NMContainerTokenSecretManager containerTokenSecretManager,
LogAggregationContext logAggregationContext)
{
Resource r = BuilderUtils.NewResource(1024, 1);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
cId, nodeId.ToString(), user, r, Runtime.CurrentTimeMillis() + 100000L, 123, rmIdentifier
, Priority.NewInstance(0), 0, logAggregationContext);
Token containerToken = BuilderUtils.NewContainerToken(nodeId, containerTokenSecretManager
.RetrievePassword(containerTokenIdentifier), containerTokenIdentifier);
return(containerToken);
}
/// <exception cref="System.IO.IOException"/>
private static ContainerTokenIdentifier CreateContainerTokenId(ContainerId cid, NodeId
nodeId, string user, NMContainerTokenSecretManager secretMgr)
{
long rmid = cid.GetApplicationAttemptId().GetApplicationId().GetClusterTimestamp(
);
ContainerTokenIdentifier ctid = new ContainerTokenIdentifier(cid, nodeId.ToString
(), user, BuilderUtils.NewResource(1024, 1), Runtime.CurrentTimeMillis() + 100000L
, secretMgr.GetCurrentKey().GetKeyId(), rmid, Priority.NewInstance(0), 0);
Org.Apache.Hadoop.Yarn.Api.Records.Token token = BuilderUtils.NewContainerToken(nodeId
, secretMgr.CreatePassword(ctid), ctid);
return(BuilderUtils.NewContainerTokenIdentifier(token));
}
/// <exception cref="System.IO.IOException"/>
public MockContainer(ApplicationAttemptId appAttemptId, Dispatcher dispatcher, Configuration
conf, string user, ApplicationId appId, int uniqId)
{
this.user = user;
this.recordFactory = RecordFactoryProvider.GetRecordFactory(conf);
this.id = BuilderUtils.NewContainerId(recordFactory, appId, appAttemptId, uniqId);
this.launchContext = recordFactory.NewRecordInstance <ContainerLaunchContext>();
long currentTime = Runtime.CurrentTimeMillis();
this.containerTokenIdentifier = BuilderUtils.NewContainerTokenIdentifier(BuilderUtils
.NewContainerToken(id, "127.0.0.1", 1234, user, BuilderUtils.NewResource(1024, 1
), currentTime + 10000, 123, Sharpen.Runtime.GetBytesForString("password"), currentTime
));
this.state = ContainerState.New;
}
public virtual void TestAppFinishedOnCompletedContainers()
{
TestApplication.WrappedApplication wa = null;
try
{
wa = new TestApplication.WrappedApplication(this, 5, 314159265358979L, "yak", 3);
wa.InitApplication();
wa.InitContainer(-1);
NUnit.Framework.Assert.AreEqual(ApplicationState.Initing, wa.app.GetApplicationState
());
wa.ApplicationInited();
NUnit.Framework.Assert.AreEqual(ApplicationState.Running, wa.app.GetApplicationState
());
Org.Mockito.Mockito.Reset(wa.localizerBus);
wa.ContainerFinished(0);
wa.ContainerFinished(1);
wa.ContainerFinished(2);
NUnit.Framework.Assert.AreEqual(ApplicationState.Running, wa.app.GetApplicationState
());
NUnit.Framework.Assert.AreEqual(0, wa.app.GetContainers().Count);
wa.AppFinished();
NUnit.Framework.Assert.AreEqual(ApplicationState.ApplicationResourcesCleaningup,
wa.app.GetApplicationState());
Org.Mockito.Mockito.Verify(wa.localizerBus).Handle(Matchers.RefEq(new ApplicationLocalizationEvent
(LocalizationEventType.DestroyApplicationResources, wa.app)));
wa.AppResourcesCleanedup();
foreach (Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container
container in wa.containers)
{
ContainerTokenIdentifier identifier = wa.GetContainerTokenIdentifier(container.GetContainerId
());
WaitForContainerTokenToExpire(identifier);
NUnit.Framework.Assert.IsTrue(wa.context.GetContainerTokenSecretManager().IsValidStartContainerRequest
(identifier));
}
NUnit.Framework.Assert.AreEqual(ApplicationState.Finished, wa.app.GetApplicationState
());
}
finally
{
if (wa != null)
{
wa.Finished();
}
}
}
protected internal virtual ContainerTokenIdentifier WaitForContainerTokenToExpire
(ContainerTokenIdentifier identifier)
{
int attempts = 5;
while (Runtime.CurrentTimeMillis() < identifier.GetExpiryTimeStamp() && attempts--
> 0)
{
try
{
Sharpen.Thread.Sleep(1000);
}
catch (Exception)
{
}
}
return(identifier);
}
/// <summary>
/// Container will be remembered based on expiration time of the container
/// token used for starting the container.
/// </summary>
/// <remarks>
/// Container will be remembered based on expiration time of the container
/// token used for starting the container. It is safe to use expiration time
/// as there is one to many mapping between expiration time and containerId.
/// </remarks>
/// <returns>true if the current token identifier is not present in cache.</returns>
public virtual bool IsValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier
)
{
lock (this)
{
RemoveAnyContainerTokenIfExpired();
long expTime = containerTokenIdentifier.GetExpiryTimeStamp();
IList <ContainerId> containers = this.recentlyStartedContainerTracker[expTime];
if (containers == null || !containers.Contains(containerTokenIdentifier.GetContainerID
()))
{
return(true);
}
else
{
return(false);
}
}
}
public ContainerTokenIdentifierForTest(ContainerTokenIdentifier identifier, string
message)
{
YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.Builder builder =
YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.NewBuilder();
ContainerIdPBImpl containerID = (ContainerIdPBImpl)identifier.GetContainerID();
if (containerID != null)
{
builder.SetContainerId(containerID.GetProto());
}
builder.SetNmHostAddr(identifier.GetNmHostAddress());
builder.SetAppSubmitter(identifier.GetApplicationSubmitter());
ResourcePBImpl resource = (ResourcePBImpl)identifier.GetResource();
if (resource != null)
{
builder.SetResource(resource.GetProto());
}
builder.SetExpiryTimeStamp(identifier.GetExpiryTimeStamp());
builder.SetMasterKeyId(identifier.GetMasterKeyId());
builder.SetRmIdentifier(identifier.GetRMIdentifier());
PriorityPBImpl priority = (PriorityPBImpl)identifier.GetPriority();
if (priority != null)
{
builder.SetPriority(priority.GetProto());
}
builder.SetCreationTime(identifier.GetCreationTime());
builder.SetMessage(message);
LogAggregationContextPBImpl logAggregationContext = (LogAggregationContextPBImpl)
identifier.GetLogAggregationContext();
if (logAggregationContext != null)
{
builder.SetLogAggregationContext(logAggregationContext.GetProto());
}
proto = ((YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto)builder
.Build());
}
/// <summary>
/// Override of this is to validate ContainerTokens generated by using
/// different
/// <see cref="Org.Apache.Hadoop.Yarn.Server.Api.Records.MasterKey"/>
/// s.
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public override byte[] RetrievePassword(ContainerTokenIdentifier identifier)
{
lock (this)
{
int keyId = identifier.GetMasterKeyId();
MasterKeyData masterKeyToUse = null;
if (this.previousMasterKey != null && keyId == this.previousMasterKey.GetMasterKey
().GetKeyId())
{
// A container-launch has come in with a token generated off the last
// master-key
masterKeyToUse = this.previousMasterKey;
}
else
{
if (keyId == base.currentMasterKey.GetMasterKey().GetKeyId())
{
// A container-launch has come in with a token generated off the current
// master-key
masterKeyToUse = base.currentMasterKey;
}
}
if (nodeHostAddr != null && !identifier.GetNmHostAddress().Equals(nodeHostAddr))
{
// Valid container token used for incorrect node.
throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID
().ToString() + " identifier is not valid for current Node manager. Expected : "
+ nodeHostAddr + " Found : " + identifier.GetNmHostAddress());
}
if (masterKeyToUse != null)
{
return(RetrievePasswordInternal(identifier, masterKeyToUse));
}
// Invalid request. Like startContainer() with token generated off
// old-master-keys.
throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID
().ToString() + " seems to have an illegally generated token.");
}
}
/// <summary>Container start has gone through.</summary>
/// <remarks>
/// Container start has gone through. We need to store the containerId in order
/// to block future container start requests with same container token. This
/// container token needs to be saved till its container token expires.
/// </remarks>
public virtual void StartContainerSuccessful(ContainerTokenIdentifier tokenId)
{
lock (this)
{
RemoveAnyContainerTokenIfExpired();
ContainerId containerId = tokenId.GetContainerID();
long expTime = tokenId.GetExpiryTimeStamp();
// We might have multiple containers with same expiration time.
if (!recentlyStartedContainerTracker.Contains(expTime))
{
recentlyStartedContainerTracker[expTime] = new AList <ContainerId>();
}
recentlyStartedContainerTracker[expTime].AddItem(containerId);
try
{
stateStore.StoreContainerToken(containerId, expTime);
}
catch (IOException e)
{
Log.Error("Unable to store token for container " + containerId, e);
}
}
}
public virtual void Handle(ContainerAllocatorEvent @event)
{
ContainerId cId = ContainerId.NewContainerId(this._enclosing.GetContext().GetApplicationAttemptId
(), this.containerCount++);
NodeId nodeId = NodeId.NewInstance(MRApp.NmHost, MRApp.NmPort);
Resource resource = Resource.NewInstance(1234, 2);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
cId, nodeId.ToString(), "user", resource, Runtime.CurrentTimeMillis() + 10000, 42
, 42, Priority.NewInstance(0), 0);
Token containerToken = MRApp.NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString
("password"), containerTokenIdentifier);
Container container = Container.NewInstance(cId, nodeId, MRApp.NmHost + ":" + MRApp
.NmHttpPort, resource, null, containerToken);
JobID id = TypeConverter.FromYarn(MRApp.applicationId);
JobId jobId = TypeConverter.ToYarn(id);
this._enclosing.GetContext().GetEventHandler().Handle(new JobHistoryEvent(jobId,
new NormalizedResourceEvent(TaskType.Reduce, 100)));
this._enclosing.GetContext().GetEventHandler().Handle(new JobHistoryEvent(jobId,
new NormalizedResourceEvent(TaskType.Map, 100)));
this._enclosing.GetContext().GetEventHandler().Handle(new TaskAttemptContainerAssignedEvent
(@event.GetAttemptID(), container, null));
}
/// <exception cref="System.Exception"/>
public virtual void TestRMIdentifierOnContainerAllocation()
{
MockRM rm = new MockRM(conf);
rm.Start();
// Register node1
MockNM nm1 = rm.RegisterNode("127.0.0.1:1234", 6 * Gb);
// Submit an application
RMApp app1 = rm.SubmitApp(2048);
// kick the scheduling
nm1.NodeHeartbeat(true);
RMAppAttempt attempt1 = app1.GetCurrentAppAttempt();
MockAM am1 = rm.SendAMLaunched(attempt1.GetAppAttemptId());
am1.RegisterAppAttempt();
am1.AddRequests(new string[] { "127.0.0.1" }, Gb, 1, 1);
AllocateResponse alloc1Response = am1.Schedule();
// send the request
// kick the scheduler
nm1.NodeHeartbeat(true);
while (alloc1Response.GetAllocatedContainers().Count < 1)
{
Log.Info("Waiting for containers to be created for app 1...");
Sharpen.Thread.Sleep(1000);
alloc1Response = am1.Schedule();
}
// assert RMIdentifer is set properly in allocated containers
Container allocatedContainer = alloc1Response.GetAllocatedContainers()[0];
ContainerTokenIdentifier tokenId = BuilderUtils.NewContainerTokenIdentifier(allocatedContainer
.GetContainerToken());
NUnit.Framework.Assert.AreEqual(MockRM.GetClusterTimeStamp(), tokenId.GetRMIdentifier
());
rm.Stop();
}
/// <summary>Helper function for creating ContainerTokens</summary>
/// <param name="containerId"/>
/// <param name="nodeId"/>
/// <param name="appSubmitter"/>
/// <param name="capability"/>
/// <param name="priority"/>
/// <param name="createTime"/>
/// <param name="logAggregationContext"/>
/// <returns>the container-token</returns>
public virtual Token CreateContainerToken(ContainerId containerId, NodeId nodeId,
string appSubmitter, Resource capability, Priority priority, long createTime, LogAggregationContext
logAggregationContext)
{
byte[] password;
ContainerTokenIdentifier tokenIdentifier;
long expiryTimeStamp = Runtime.CurrentTimeMillis() + containerTokenExpiryInterval;
// Lock so that we use the same MasterKey's keyId and its bytes
this.readLock.Lock();
try
{
tokenIdentifier = new ContainerTokenIdentifier(containerId, nodeId.ToString(), appSubmitter
, capability, expiryTimeStamp, this.currentMasterKey.GetMasterKey().GetKeyId(),
ResourceManager.GetClusterTimeStamp(), priority, createTime, logAggregationContext
);
password = this.CreatePassword(tokenIdentifier);
}
finally
{
this.readLock.Unlock();
}
return(BuilderUtils.NewContainerToken(nodeId, password, tokenIdentifier));
}
public virtual void TestRecovery()
{
YarnConfiguration conf = new YarnConfiguration();
conf.SetBoolean(YarnConfiguration.NmRecoveryEnabled, true);
NodeId nodeId = NodeId.NewInstance("somehost", 1234);
ContainerId cid1 = BuilderUtils.NewContainerId(1, 1, 1, 1);
ContainerId cid2 = BuilderUtils.NewContainerId(2, 2, 2, 2);
TestNMContainerTokenSecretManager.ContainerTokenKeyGeneratorForTest keygen = new
TestNMContainerTokenSecretManager.ContainerTokenKeyGeneratorForTest(conf);
NMMemoryStateStoreService stateStore = new NMMemoryStateStoreService();
stateStore.Init(conf);
stateStore.Start();
NMContainerTokenSecretManager secretMgr = new NMContainerTokenSecretManager(conf,
stateStore);
secretMgr.SetNodeId(nodeId);
MasterKey currentKey = keygen.GenerateKey();
secretMgr.SetMasterKey(currentKey);
ContainerTokenIdentifier tokenId1 = CreateContainerTokenId(cid1, nodeId, "user1",
secretMgr);
ContainerTokenIdentifier tokenId2 = CreateContainerTokenId(cid2, nodeId, "user2",
secretMgr);
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1));
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2));
// restart and verify tokens still valid
secretMgr = new NMContainerTokenSecretManager(conf, stateStore);
secretMgr.SetNodeId(nodeId);
secretMgr.Recover();
NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey());
NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1));
NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId2));
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1));
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2));
// roll master key and start a container
secretMgr.StartContainerSuccessful(tokenId2);
currentKey = keygen.GenerateKey();
secretMgr.SetMasterKey(currentKey);
// restart and verify tokens still valid due to prev key persist
secretMgr = new NMContainerTokenSecretManager(conf, stateStore);
secretMgr.SetNodeId(nodeId);
secretMgr.Recover();
NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey());
NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1));
NUnit.Framework.Assert.IsFalse(secretMgr.IsValidStartContainerRequest(tokenId2));
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1));
NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2));
// roll master key again, restart, and verify keys no longer valid
currentKey = keygen.GenerateKey();
secretMgr.SetMasterKey(currentKey);
secretMgr = new NMContainerTokenSecretManager(conf, stateStore);
secretMgr.SetNodeId(nodeId);
secretMgr.Recover();
NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey());
NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1));
NUnit.Framework.Assert.IsFalse(secretMgr.IsValidStartContainerRequest(tokenId2));
try
{
secretMgr.RetrievePassword(tokenId1);
NUnit.Framework.Assert.Fail("token should not be valid");
}
catch (SecretManager.InvalidToken)
{
}
// expected
try
{
secretMgr.RetrievePassword(tokenId2);
NUnit.Framework.Assert.Fail("token should not be valid");
}
catch (SecretManager.InvalidToken)
{
}
// expected
stateStore.Close();
}
// do nothing
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
protected internal override void AuthorizeStartRequest(NMTokenIdentifier nmTokenIdentifier
, ContainerTokenIdentifier containerTokenIdentifier)
{
}
public virtual void TestContainerKillOnMemoryOverflow()
{
if (!ProcfsBasedProcessTree.IsAvailable())
{
return;
}
containerManager.Start();
FilePath scriptFile = new FilePath(tmpDir, "scriptFile.sh");
PrintWriter fileWriter = new PrintWriter(scriptFile);
FilePath processStartFile = new FilePath(tmpDir, "start_file.txt").GetAbsoluteFile
();
fileWriter.Write("\numask 0");
// So that start file is readable by the
// test.
fileWriter.Write("\necho Hello World! > " + processStartFile);
fileWriter.Write("\necho $$ >> " + processStartFile);
fileWriter.Write("\nsleep 15");
fileWriter.Close();
ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
>();
// ////// Construct the Container-id
ApplicationId appId = ApplicationId.NewInstance(0, 0);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 1);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0);
int port = 12345;
URL resource_alpha = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new
Path(scriptFile.GetAbsolutePath())));
LocalResource rsrc_alpha = recordFactory.NewRecordInstance <LocalResource>();
rsrc_alpha.SetResource(resource_alpha);
rsrc_alpha.SetSize(-1);
rsrc_alpha.SetVisibility(LocalResourceVisibility.Application);
rsrc_alpha.SetType(LocalResourceType.File);
rsrc_alpha.SetTimestamp(scriptFile.LastModified());
string destinationFile = "dest_file";
IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource
>();
localResources[destinationFile] = rsrc_alpha;
containerLaunchContext.SetLocalResources(localResources);
IList <string> commands = new AList <string>();
commands.AddItem("/bin/bash");
commands.AddItem(scriptFile.GetAbsolutePath());
containerLaunchContext.SetCommands(commands);
Resource r = BuilderUtils.NewResource(8 * 1024 * 1024, 1);
ContainerTokenIdentifier containerIdentifier = new ContainerTokenIdentifier(cId,
context.GetNodeId().ToString(), user, r, Runtime.CurrentTimeMillis() + 120000, 123
, DummyRmIdentifier, Priority.NewInstance(0), 0);
Token containerToken = BuilderUtils.NewContainerToken(context.GetNodeId(), containerManager
.GetContext().GetContainerTokenSecretManager().CreatePassword(containerIdentifier
), containerIdentifier);
StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
, containerToken);
IList <StartContainerRequest> list = new AList <StartContainerRequest>();
list.AddItem(scRequest);
StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);
containerManager.StartContainers(allRequests);
int timeoutSecs = 0;
while (!processStartFile.Exists() && timeoutSecs++ < 20)
{
Sharpen.Thread.Sleep(1000);
Log.Info("Waiting for process start-file to be created");
}
NUnit.Framework.Assert.IsTrue("ProcessStartFile doesn't exist!", processStartFile
.Exists());
// Now verify the contents of the file
BufferedReader reader = new BufferedReader(new FileReader(processStartFile));
NUnit.Framework.Assert.AreEqual("Hello World!", reader.ReadLine());
// Get the pid of the process
string pid = reader.ReadLine().Trim();
// No more lines
NUnit.Framework.Assert.AreEqual(null, reader.ReadLine());
BaseContainerManagerTest.WaitForContainerState(containerManager, cId, ContainerState
.Complete, 60);
IList <ContainerId> containerIds = new AList <ContainerId>();
containerIds.AddItem(cId);
GetContainerStatusesRequest gcsRequest = GetContainerStatusesRequest.NewInstance(
containerIds);
ContainerStatus containerStatus = containerManager.GetContainerStatuses(gcsRequest
).GetContainerStatuses()[0];
NUnit.Framework.Assert.AreEqual(ContainerExitStatus.KilledExceededVmem, containerStatus
.GetExitStatus());
string expectedMsgPattern = "Container \\[pid=" + pid + ",containerID=" + cId + "\\] is running beyond virtual memory limits. Current usage: "
+ "[0-9.]+ ?[KMGTPE]?B of [0-9.]+ ?[KMGTPE]?B physical memory used; " + "[0-9.]+ ?[KMGTPE]?B of [0-9.]+ ?[KMGTPE]?B virtual memory used. "
+ "Killing container.\nDump of the process-tree for " + cId + " :\n";
Sharpen.Pattern pat = Sharpen.Pattern.Compile(expectedMsgPattern);
NUnit.Framework.Assert.AreEqual("Expected message pattern is: " + expectedMsgPattern
+ "\n\nObserved message is: " + containerStatus.GetDiagnostics(), true, pat.Matcher
(containerStatus.GetDiagnostics()).Find());
// Assert that the process is not alive anymore
NUnit.Framework.Assert.IsFalse("Process is still alive!", exec.SignalContainer(user
, pid, ContainerExecutor.Signal.Null));
}
/// <exception cref="System.Exception"/>
private void Test(string rpcClass)
{
Configuration conf = new Configuration();
conf.Set(YarnConfiguration.IpcRpcImpl, rpcClass);
YarnRPC rpc = YarnRPC.Create(conf);
string bindAddr = "localhost:0";
IPEndPoint addr = NetUtils.CreateSocketAddr(bindAddr);
Server server = rpc.GetServer(typeof(ContainerManagementProtocol), new TestRPC.DummyContainerManager
(this), addr, conf, null, 1);
server.Start();
RPC.SetProtocolEngine(conf, typeof(ContainerManagementProtocolPB), typeof(ProtobufRpcEngine
));
ContainerManagementProtocol proxy = (ContainerManagementProtocol)rpc.GetProxy(typeof(
ContainerManagementProtocol), NetUtils.GetConnectAddress(server), conf);
ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
>();
ApplicationId applicationId = ApplicationId.NewInstance(0, 0);
ApplicationAttemptId applicationAttemptId = ApplicationAttemptId.NewInstance(applicationId
, 0);
ContainerId containerId = ContainerId.NewContainerId(applicationAttemptId, 100);
NodeId nodeId = NodeId.NewInstance("localhost", 1234);
Resource resource = Resource.NewInstance(1234, 2);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(
containerId, "localhost", "user", resource, Runtime.CurrentTimeMillis() + 10000,
42, 42, Priority.NewInstance(0), 0);
Token containerToken = NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString
("password"), containerTokenIdentifier);
StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
, containerToken);
IList <StartContainerRequest> list = new AList <StartContainerRequest>();
list.AddItem(scRequest);
StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);
proxy.StartContainers(allRequests);
IList <ContainerId> containerIds = new AList <ContainerId>();
containerIds.AddItem(containerId);
GetContainerStatusesRequest gcsRequest = GetContainerStatusesRequest.NewInstance(
containerIds);
GetContainerStatusesResponse response = proxy.GetContainerStatuses(gcsRequest);
IList <ContainerStatus> statuses = response.GetContainerStatuses();
//test remote exception
bool exception = false;
try
{
StopContainersRequest stopRequest = recordFactory.NewRecordInstance <StopContainersRequest
>();
stopRequest.SetContainerIds(containerIds);
proxy.StopContainers(stopRequest);
}
catch (YarnException e)
{
exception = true;
NUnit.Framework.Assert.IsTrue(e.Message.Contains(ExceptionMsg));
NUnit.Framework.Assert.IsTrue(e.Message.Contains(ExceptionCause));
System.Console.Out.WriteLine("Test Exception is " + e.Message);
}
catch (Exception ex)
{
Sharpen.Runtime.PrintStackTrace(ex);
}
NUnit.Framework.Assert.IsTrue(exception);
server.Stop();
NUnit.Framework.Assert.IsNotNull(statuses[0]);
NUnit.Framework.Assert.AreEqual(ContainerState.Running, statuses[0].GetState());
}
public virtual void TestAuxEventDispatch()
{
Configuration conf = new Configuration();
conf.SetStrings(YarnConfiguration.NmAuxServices, new string[] { "Asrv", "Bsrv" });
conf.SetClass(string.Format(YarnConfiguration.NmAuxServiceFmt, "Asrv"), typeof(TestAuxServices.ServiceA
), typeof(Org.Apache.Hadoop.Service.Service));
conf.SetClass(string.Format(YarnConfiguration.NmAuxServiceFmt, "Bsrv"), typeof(TestAuxServices.ServiceB
), typeof(Org.Apache.Hadoop.Service.Service));
conf.SetInt("A.expected.init", 1);
conf.SetInt("B.expected.stop", 1);
AuxServices aux = new AuxServices();
aux.Init(conf);
aux.Start();
ApplicationId appId1 = ApplicationId.NewInstance(0, 65);
ByteBuffer buf = ByteBuffer.Allocate(6);
buf.PutChar('A');
buf.PutInt(65);
buf.Flip();
AuxServicesEvent @event = new AuxServicesEvent(AuxServicesEventType.ApplicationInit
, "user0", appId1, "Asrv", buf);
aux.Handle(@event);
ApplicationId appId2 = ApplicationId.NewInstance(0, 66);
@event = new AuxServicesEvent(AuxServicesEventType.ApplicationStop, "user0", appId2
, "Bsrv", null);
// verify all services got the stop event
aux.Handle(@event);
ICollection <AuxiliaryService> servs = aux.GetServices();
foreach (AuxiliaryService serv in servs)
{
AList <int> appIds = ((TestAuxServices.LightService)serv).GetAppIdsStopped();
NUnit.Framework.Assert.AreEqual("app not properly stopped", 1, appIds.Count);
NUnit.Framework.Assert.IsTrue("wrong app stopped", appIds.Contains((int)66));
}
foreach (AuxiliaryService serv_1 in servs)
{
NUnit.Framework.Assert.IsNull(((TestAuxServices.LightService)serv_1).containerId);
NUnit.Framework.Assert.IsNull(((TestAuxServices.LightService)serv_1).resource);
}
ApplicationAttemptId attemptId = ApplicationAttemptId.NewInstance(appId1, 1);
ContainerTokenIdentifier cti = new ContainerTokenIdentifier(ContainerId.NewContainerId
(attemptId, 1), string.Empty, string.Empty, Resource.NewInstance(1, 1), 0, 0, 0,
Priority.NewInstance(0), 0);
Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container
= new ContainerImpl(null, null, null, null, null, null, cti);
ContainerId containerId = container.GetContainerId();
Resource resource = container.GetResource();
@event = new AuxServicesEvent(AuxServicesEventType.ContainerInit, container);
aux.Handle(@event);
foreach (AuxiliaryService serv_2 in servs)
{
NUnit.Framework.Assert.AreEqual(containerId, ((TestAuxServices.LightService)serv_2
).containerId);
NUnit.Framework.Assert.AreEqual(resource, ((TestAuxServices.LightService)serv_2).
resource);
((TestAuxServices.LightService)serv_2).containerId = null;
((TestAuxServices.LightService)serv_2).resource = null;
}
@event = new AuxServicesEvent(AuxServicesEventType.ContainerStop, container);
aux.Handle(@event);
foreach (AuxiliaryService serv_3 in servs)
{
NUnit.Framework.Assert.AreEqual(containerId, ((TestAuxServices.LightService)serv_3
).containerId);
NUnit.Framework.Assert.AreEqual(resource, ((TestAuxServices.LightService)serv_3).
resource);
}
}
/// <exception cref="System.Exception"/>
private void TestNMTokens(Configuration conf)
{
NMTokenSecretManagerInRM nmTokenSecretManagerRM = yarnCluster.GetResourceManager(
).GetRMContext().GetNMTokenSecretManager();
NMTokenSecretManagerInNM nmTokenSecretManagerNM = yarnCluster.GetNodeManager(0).GetNMContext
().GetNMTokenSecretManager();
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
NodeManager nm = yarnCluster.GetNodeManager(0);
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerNM, nm);
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerNM.GetCurrentKey().GetKeyId()
, nmTokenSecretManagerRM.GetCurrentKey().GetKeyId());
/*
* Below cases should be tested.
* 1) If Invalid NMToken is used then it should be rejected.
* 2) If valid NMToken but belonging to another Node is used then that
* too should be rejected.
* 3) NMToken for say appAttempt-1 is used for starting/stopping/retrieving
* status for container with containerId for say appAttempt-2 should
* be rejected.
* 4) After start container call is successful nmtoken should have been
* saved in NMTokenSecretManagerInNM.
* 5) If start container call was successful (no matter if container is
* still running or not), appAttempt->NMToken should be present in
* NMTokenSecretManagerInNM's cache. Any future getContainerStatus call
* for containerId belonging to that application attempt using
* applicationAttempt's older nmToken should not get any invalid
* nmToken error. (This can be best tested if we roll over NMToken
* master key twice).
*/
YarnRPC rpc = YarnRPC.Create(conf);
string user = "******";
Resource r = Resource.NewInstance(1024, 1);
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId validAppAttemptId = ApplicationAttemptId.NewInstance(appId,
1);
ContainerId validContainerId = ContainerId.NewContainerId(validAppAttemptId, 0);
NodeId validNode = yarnCluster.GetNodeManager(0).GetNMContext().GetNodeId();
NodeId invalidNode = NodeId.NewInstance("InvalidHost", 1234);
Token validNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(10), 1234);
ContainerTokenIdentifier identifier = BuilderUtils.NewContainerTokenIdentifier(validContainerToken
);
NUnit.Framework.Assert.AreEqual(Priority.NewInstance(10), identifier.GetPriority(
));
NUnit.Framework.Assert.AreEqual(1234, identifier.GetCreationTime());
StringBuilder sb;
// testInvalidNMToken ... creating NMToken using different secret manager.
NMTokenSecretManagerInRM tempManager = new NMTokenSecretManagerInRM(conf);
tempManager.RollMasterKey();
do
{
tempManager.RollMasterKey();
tempManager.ActivateNextMasterKey();
}while (tempManager.GetCurrentKey().GetKeyId() == nmTokenSecretManagerRM.GetCurrentKey
().GetKeyId());
// Making sure key id is different.
// Testing that NM rejects the requests when we don't send any token.
if (UserGroupInformation.IsSecurityEnabled())
{
sb = new StringBuilder("Client cannot authenticate via:[TOKEN]");
}
else
{
sb = new StringBuilder("SIMPLE authentication is not enabled. Available:[TOKEN]"
);
}
string errorMsg = TestStartContainer(rpc, validAppAttemptId, validNode, validContainerToken
, null, true);
NUnit.Framework.Assert.IsTrue(errorMsg.Contains(sb.ToString()));
Token invalidNMToken = tempManager.CreateNMToken(validAppAttemptId, validNode, user
);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId.ToString()).Append(" seems to have been generated illegally."
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// valid NMToken but belonging to other node
invalidNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, invalidNode
, user);
sb = new StringBuilder("Given NMToken for application : ");
sb.Append(validAppAttemptId).Append(" is not valid for current node manager.expected : "
).Append(validNode.ToString()).Append(" found : ").Append(invalidNode.ToString()
);
NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId
, validNode, validContainerToken, invalidNMToken, true)));
// using correct tokens. nmtoken for app attempt should get saved.
conf.SetInt(YarnConfiguration.RmContainerAllocExpiryIntervalMs, 4 * 60 * 1000);
validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId
, validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId));
// using a new compatible version nmtoken, expect container can be started
// successfully.
ApplicationAttemptId validAppAttemptId2 = ApplicationAttemptId.NewInstance(appId,
2);
ContainerId validContainerId2 = ContainerId.NewContainerId(validAppAttemptId2, 0);
Token validContainerToken2 = containerTokenSecretManager.CreateContainerToken(validContainerId2
, validNode, user, r, Priority.NewInstance(0), 0);
Token validNMToken2 = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId2, validNode
, user);
// First, get a new NMTokenIdentifier.
NMTokenIdentifier newIdentifier = new NMTokenIdentifier();
byte[] tokenIdentifierContent = ((byte[])validNMToken2.GetIdentifier().Array());
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
newIdentifier.ReadFields(dib);
// Then, generate a new version NMTokenIdentifier (NMTokenIdentifierNewForTest)
// with additional field of message.
NMTokenIdentifierNewForTest newVersionIdentifier = new NMTokenIdentifierNewForTest
(newIdentifier, "message");
// check new version NMTokenIdentifier has correct info.
NUnit.Framework.Assert.AreEqual("The ApplicationAttemptId is changed after set to "
+ "newVersionIdentifier", validAppAttemptId2.GetAttemptId(), newVersionIdentifier
.GetApplicationAttemptId().GetAttemptId());
NUnit.Framework.Assert.AreEqual("The message is changed after set to newVersionIdentifier"
, "message", newVersionIdentifier.GetMessage());
NUnit.Framework.Assert.AreEqual("The NodeId is changed after set to newVersionIdentifier"
, validNode, newVersionIdentifier.GetNodeId());
// create new Token based on new version NMTokenIdentifier.
Token newVersionedNMToken = BaseNMTokenSecretManager.NewInstance(nmTokenSecretManagerRM
.RetrievePassword(newVersionIdentifier), newVersionIdentifier);
// Verify startContainer is successful and no exception is thrown.
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId2, validNode
, validContainerToken2, newVersionedNMToken, false).IsEmpty());
NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent
(validAppAttemptId2));
//Now lets wait till container finishes and is removed from node manager.
WaitForContainerToFinishOnNM(validContainerId);
sb = new StringBuilder("Attempt to relaunch the same container with id ");
sb.Append(validContainerId);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode
, validContainerToken, validNMToken, true).Contains(sb.ToString()));
// Container is removed from node manager's memory by this time.
// trying to stop the container. It should not throw any exception.
TestStopContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken
, false);
// Rolling over master key twice so that we can check whether older keys
// are used for authentication.
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// Key rolled over once.. rolling over again
RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM);
// trying get container status. Now saved nmToken should be used for
// authentication... It should complain saying container was recently
// stopped.
sb = new StringBuilder("Container ");
sb.Append(validContainerId);
sb.Append(" was recently stopped on node manager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, true).Contains(sb.ToString()));
// Now lets remove the container from nm-memory
nm.GetNodeStatusUpdater().ClearFinishedContainersFromCache();
// This should fail as container is removed from recently tracked finished
// containers.
sb = new StringBuilder("Container ");
sb.Append(validContainerId.ToString());
sb.Append(" is not handled by this NodeManager");
NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode,
validContainerId, validNMToken, false).Contains(sb.ToString()));
// using appAttempt-1 NMtoken for launching container for appAttempt-2 should
// succeed.
ApplicationAttemptId attempt2 = ApplicationAttemptId.NewInstance(appId, 2);
Token attempt1NMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode
, user);
Token newContainerToken = containerTokenSecretManager.CreateContainerToken(ContainerId
.NewContainerId(attempt2, 1), validNode, user, r, Priority.NewInstance(0), 0);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, attempt2, validNode, newContainerToken
, attempt1NMToken, false).IsEmpty());
}
/// <summary>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc..
/// </summary>
/// <remarks>
/// This tests a malice user getting a proper token but then messing with it by
/// tampering with containerID/Resource etc.. His/her containers should be
/// rejected.
/// </remarks>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
private void TestContainerToken(Configuration conf)
{
Log.Info("Running test for malice user");
/*
* We need to check for containerToken (authorization).
* Here we will be assuming that we have valid NMToken
* 1) ContainerToken used is expired.
* 2) ContainerToken is tampered (resource is modified).
*/
NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager
().GetRMContext().GetNMTokenSecretManager();
ApplicationId appId = ApplicationId.NewInstance(1, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0);
ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0);
NodeManager nm = yarnCluster.GetNodeManager(0);
NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager
();
string user = "******";
WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm);
NodeId nodeId = nm.GetNMContext().GetNodeId();
// Both id should be equal.
NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId
(), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId());
RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager
().GetRMContext().GetContainerTokenSecretManager();
Resource r = Resource.NewInstance(1230, 2);
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager
.CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0);
ContainerTokenIdentifier containerTokenIdentifier = GetContainerTokenIdentifierFromToken
(containerToken);
// Verify new compatible version ContainerTokenIdentifier can work successfully.
ContainerTokenIdentifierForTest newVersionTokenIdentifier = new ContainerTokenIdentifierForTest
(containerTokenIdentifier, "message");
byte[] password = containerTokenSecretManager.CreatePassword(newVersionTokenIdentifier
);
Org.Apache.Hadoop.Yarn.Api.Records.Token newContainerToken = BuilderUtils.NewContainerToken
(nodeId, password, newVersionTokenIdentifier);
Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken
(appAttemptId, nodeId, user);
YarnRPC rpc = YarnRPC.Create(conf);
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, newContainerToken
, nmToken, false).IsEmpty());
// Creating a tampered Container Token
RMContainerTokenSecretManager tamperedContainerTokenSecretManager = new RMContainerTokenSecretManager
(conf);
tamperedContainerTokenSecretManager.RollMasterKey();
do
{
tamperedContainerTokenSecretManager.RollMasterKey();
tamperedContainerTokenSecretManager.ActivateNextMasterKey();
}while (containerTokenSecretManager.GetCurrentKey().GetKeyId() == tamperedContainerTokenSecretManager
.GetCurrentKey().GetKeyId());
ContainerId cId2 = ContainerId.NewContainerId(appAttemptId, 1);
// Creating modified containerToken
Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken2 = tamperedContainerTokenSecretManager
.CreateContainerToken(cId2, nodeId, user, r, Priority.NewInstance(0), 0);
StringBuilder sb = new StringBuilder("Given Container ");
sb.Append(cId2);
sb.Append(" seems to have an illegally generated token.");
NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, containerToken2
, nmToken, true).Contains(sb.ToString()));
}
