/// <exception cref="System.Exception"/> private LogAggregationContext GetLogAggregationContextFromContainerToken(MockRM rm1 , MockNM nm1, LogAggregationContext logAggregationContext) { RMApp app2 = rm1.SubmitApp(200, logAggregationContext); MockAM am2 = MockRM.LaunchAndRegisterAM(app2, rm1, nm1); nm1.NodeHeartbeat(true); // request a container. am2.Allocate("127.0.0.1", 512, 1, new AList <ContainerId>()); ContainerId containerId = ContainerId.NewContainerId(am2.GetApplicationAttemptId( ), 2); rm1.WaitForState(nm1, containerId, RMContainerState.Allocated); // acquire the container. IList <Container> containers = am2.Allocate(new AList <ResourceRequest>(), new AList <ContainerId>()).GetAllocatedContainers(); NUnit.Framework.Assert.AreEqual(containerId, containers[0].GetId()); // container token is generated. NUnit.Framework.Assert.IsNotNull(containers[0].GetContainerToken()); ContainerTokenIdentifier token = BuilderUtils.NewContainerTokenIdentifier(containers [0].GetContainerToken()); return(token.GetLogAggregationContext()); }
/// <exception cref="System.IO.IOException"/> public virtual StartContainersResponse StartContainers(StartContainersRequest requests ) { StartContainerRequest request = requests.GetStartContainerRequests()[0]; ContainerTokenIdentifier containerTokenIdentifier = MRApp.NewContainerTokenIdentifier (request.GetContainerToken()); // Validate that the container is what RM is giving. NUnit.Framework.Assert.AreEqual(MRApp.NmHost + ":" + MRApp.NmPort, containerTokenIdentifier .GetNmHostAddress()); StartContainersResponse response = TestContainerLauncher.recordFactory.NewRecordInstance <StartContainersResponse>(); this.status = TestContainerLauncher.recordFactory.NewRecordInstance<ContainerStatus >(); try { // make the thread sleep to look like its not going to respond Sharpen.Thread.Sleep(15000); } catch (Exception e) { TestContainerLauncher.Log.Error(e); throw new UndeclaredThrowableException(e); } this.status.SetState(ContainerState.Running); this.status.SetContainerId(containerTokenIdentifier.GetContainerID()); this.status.SetExitStatus(0); return response; }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> public StartContainersResponse StartContainers(StartContainersRequest requests) { StartContainerRequest request = requests.GetStartContainerRequests()[0]; Log.Info("Container started by MyContainerManager: " + request); launched = true; IDictionary <string, string> env = request.GetContainerLaunchContext().GetEnvironment (); Token containerToken = request.GetContainerToken(); ContainerTokenIdentifier tokenId = null; try { tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken); } catch (IOException e) { throw RPCUtil.GetRemoteException(e); } ContainerId containerId = tokenId.GetContainerID(); containerIdAtContainerManager = containerId.ToString(); attemptIdAtContainerManager = containerId.GetApplicationAttemptId().ToString(); nmHostAtContainerManager = tokenId.GetNmHostAddress(); submitTimeAtContainerManager = long.Parse(env[ApplicationConstants.AppSubmitTimeEnv ]); maxAppAttempts = System.Convert.ToInt32(env[ApplicationConstants.MaxAppAttemptsEnv ]); return(StartContainersResponse.NewInstance(new Dictionary <string, ByteBuffer>(), new AList <ContainerId>(), new Dictionary <ContainerId, SerializedException>())); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> public virtual StartContainersResponse StartContainers(StartContainersRequest requests ) { StartContainersResponse response = TestRPC.recordFactory.NewRecordInstance <StartContainersResponse >(); foreach (StartContainerRequest request in requests.GetStartContainerRequests()) { Token containerToken = request.GetContainerToken(); ContainerTokenIdentifier tokenId = null; try { tokenId = TestRPC.NewContainerTokenIdentifier(containerToken); } catch (IOException e) { throw RPCUtil.GetRemoteException(e); } ContainerStatus status = TestRPC.recordFactory.NewRecordInstance <ContainerStatus> (); status.SetState(ContainerState.Running); status.SetContainerId(tokenId.GetContainerID()); status.SetExitStatus(0); this.statuses.AddItem(status); } return(response); }
internal WrappedApplication(TestApplication _enclosing, int id, long timestamp, string user, int numContainers) { this._enclosing = _enclosing; Configuration conf = new Configuration(); this.dispatcher = new DrainDispatcher(); this.containerTokenIdentifierMap = new Dictionary <ContainerId, ContainerTokenIdentifier >(); this.dispatcher.Init(conf); this.localizerBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.launcherBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.monitorBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.auxBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.containerBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.logAggregationBus = Org.Mockito.Mockito.Mock <EventHandler>(); this.dispatcher.Register(typeof(LocalizationEventType), this.localizerBus); this.dispatcher.Register(typeof(ContainersLauncherEventType), this.launcherBus); this.dispatcher.Register(typeof(ContainersMonitorEventType), this.monitorBus); this.dispatcher.Register(typeof(AuxServicesEventType), this.auxBus); this.dispatcher.Register(typeof(ContainerEventType), this.containerBus); this.dispatcher.Register(typeof(LogHandlerEventType), this.logAggregationBus); this.nmTokenSecretMgr = Org.Mockito.Mockito.Mock <NMTokenSecretManagerInNM>(); this.context = Org.Mockito.Mockito.Mock <Context>(); Org.Mockito.Mockito.When(this.context.GetContainerTokenSecretManager()).ThenReturn (new NMContainerTokenSecretManager(conf)); Org.Mockito.Mockito.When(this.context.GetApplicationACLsManager()).ThenReturn(new ApplicationACLsManager(conf)); Org.Mockito.Mockito.When(this.context.GetNMTokenSecretManager()).ThenReturn(this. nmTokenSecretMgr); // Setting master key MasterKey masterKey = new MasterKeyPBImpl(); masterKey.SetKeyId(123); masterKey.SetBytes(ByteBuffer.Wrap(new byte[] { (123) })); this.context.GetContainerTokenSecretManager().SetMasterKey(masterKey); this.user = user; this.appId = BuilderUtils.NewApplicationId(timestamp, id); this.app = new ApplicationImpl(this.dispatcher, this.user, this.appId, null, this .context); this.containers = new AList <Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container >(); for (int i = 0; i < numContainers; i++) { Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container = this._enclosing.CreateMockedContainer(this.appId, i); this.containers.AddItem(container); long currentTime = Runtime.CurrentTimeMillis(); ContainerTokenIdentifier identifier = new ContainerTokenIdentifier(container.GetContainerId (), string.Empty, string.Empty, null, currentTime + 2000, masterKey.GetKeyId(), currentTime, Priority.NewInstance(0), 0); this.containerTokenIdentifierMap[identifier.GetContainerID()] = identifier; this.context.GetContainerTokenSecretManager().StartContainerSuccessful(identifier ); NUnit.Framework.Assert.IsFalse(this.context.GetContainerTokenSecretManager().IsValidStartContainerRequest (identifier)); } this.dispatcher.Start(); }
/// <summary>This tests whether a containerId is serialized/deserialized with epoch.</summary> /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> private void TestContainerTokenWithEpoch(Configuration conf) { Log.Info("Running test for serializing/deserializing containerIds"); NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager ().GetRMContext().GetNMTokenSecretManager(); ApplicationId appId = ApplicationId.NewInstance(1, 1); ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0); ContainerId cId = ContainerId.NewContainerId(appAttemptId, (5L << 40) | 3L); NodeManager nm = yarnCluster.GetNodeManager(0); NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager (); string user = "******"; WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm); NodeId nodeId = nm.GetNMContext().GetNodeId(); // Both id should be equal. NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId (), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId()); // Creating a normal Container Token RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager ().GetRMContext().GetContainerTokenSecretManager(); Resource r = Resource.NewInstance(1230, 2); Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager .CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( ); byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array()); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); containerTokenIdentifier.ReadFields(dib); NUnit.Framework.Assert.AreEqual(cId, containerTokenIdentifier.GetContainerID()); NUnit.Framework.Assert.AreEqual(cId.ToString(), containerTokenIdentifier.GetContainerID ().ToString()); Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken (appAttemptId, nodeId, user); YarnRPC rpc = YarnRPC.Create(conf); TestStartContainer(rpc, appAttemptId, nodeId, containerToken, nmToken, false); IList <ContainerId> containerIds = new List <ContainerId>(); containerIds.AddItem(cId); ContainerManagementProtocol proxy = GetContainerManagementProtocolProxy(rpc, nmToken , nodeId, user); GetContainerStatusesResponse res = proxy.GetContainerStatuses(GetContainerStatusesRequest .NewInstance(containerIds)); NUnit.Framework.Assert.IsNotNull(res.GetContainerStatuses()[0]); NUnit.Framework.Assert.AreEqual(cId, res.GetContainerStatuses()[0].GetContainerId ()); NUnit.Framework.Assert.AreEqual(cId.ToString(), res.GetContainerStatuses()[0].GetContainerId ().ToString()); }
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> public virtual StartContainersResponse StartContainers(StartContainersRequest requests ) { lock (this) { foreach (StartContainerRequest request in requests.GetStartContainerRequests()) { Token containerToken = request.GetContainerToken(); ContainerTokenIdentifier tokenId = null; try { tokenId = BuilderUtils.NewContainerTokenIdentifier(containerToken); } catch (IOException e) { throw RPCUtil.GetRemoteException(e); } ContainerId containerID = tokenId.GetContainerID(); ApplicationId applicationId = containerID.GetApplicationAttemptId().GetApplicationId (); IList <Container> applicationContainers = containers[applicationId]; if (applicationContainers == null) { applicationContainers = new AList <Container>(); containers[applicationId] = applicationContainers; } // Sanity check foreach (Container container in applicationContainers) { if (container.GetId().CompareTo(containerID) == 0) { throw new InvalidOperationException("Container " + containerID + " already setup on node " + containerManagerAddress); } } Container container_1 = BuilderUtils.NewContainer(containerID, this.nodeId, nodeHttpAddress , tokenId.GetResource(), null, null); // DKDC - Doesn't matter ContainerStatus containerStatus = BuilderUtils.NewContainerStatus(container_1.GetId (), ContainerState.New, string.Empty, -1000); applicationContainers.AddItem(container_1); containerStatusMap[container_1] = containerStatus; Resources.SubtractFrom(available, tokenId.GetResource()); Resources.AddTo(used, tokenId.GetResource()); if (Log.IsDebugEnabled()) { Log.Debug("startContainer:" + " node=" + containerManagerAddress + " application=" + applicationId + " container=" + container_1 + " available=" + available + " used=" + used); } } StartContainersResponse response = StartContainersResponse.NewInstance(null, null , null); return(response); } }
/// <exception cref="System.Exception"/> private void TestRPCTimeout(string rpcClass) { Configuration conf = new Configuration(); // set timeout low for the test conf.SetInt("yarn.rpc.nm-command-timeout", 3000); conf.Set(YarnConfiguration.IpcRpcImpl, rpcClass); YarnRPC rpc = YarnRPC.Create(conf); string bindAddr = "localhost:0"; IPEndPoint addr = NetUtils.CreateSocketAddr(bindAddr); Server server = rpc.GetServer(typeof(ContainerManagementProtocol), new TestContainerLaunchRPC.DummyContainerManager (this), addr, conf, null, 1); server.Start(); try { ContainerManagementProtocol proxy = (ContainerManagementProtocol)rpc.GetProxy(typeof( ContainerManagementProtocol), server.GetListenerAddress(), conf); ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext >(); ApplicationId applicationId = ApplicationId.NewInstance(0, 0); ApplicationAttemptId applicationAttemptId = ApplicationAttemptId.NewInstance(applicationId , 0); ContainerId containerId = ContainerId.NewContainerId(applicationAttemptId, 100); NodeId nodeId = NodeId.NewInstance("localhost", 1234); Resource resource = Resource.NewInstance(1234, 2); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( containerId, "localhost", "user", resource, Runtime.CurrentTimeMillis() + 10000, 42, 42, Priority.NewInstance(0), 0); Token containerToken = TestRPC.NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString ("password"), containerTokenIdentifier); StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext , containerToken); IList <StartContainerRequest> list = new AList <StartContainerRequest>(); list.AddItem(scRequest); StartContainersRequest allRequests = StartContainersRequest.NewInstance(list); try { proxy.StartContainers(allRequests); } catch (Exception e) { Log.Info(StringUtils.StringifyException(e)); NUnit.Framework.Assert.AreEqual("Error, exception is not: " + typeof(SocketTimeoutException ).FullName, typeof(SocketTimeoutException).FullName, e.GetType().FullName); return; } } finally { server.Stop(); } NUnit.Framework.Assert.Fail("timeout exception should have occurred!"); }
/// <exception cref="System.IO.IOException"/> public static Token NewContainerToken(ContainerId cId, string host, int port, string user, Resource r, long expiryTime, int masterKeyId, byte[] password, long rmIdentifier ) { ContainerTokenIdentifier identifier = new ContainerTokenIdentifier(cId, host + ":" + port, user, r, expiryTime, masterKeyId, rmIdentifier, Priority.NewInstance(0) , 0); return(NewContainerToken(BuilderUtils.NewNodeId(host, port), password, identifier )); }
public static Token NewContainerToken(NodeId nodeId, byte[] password, ContainerTokenIdentifier tokenIdentifier) { // RPC layer client expects ip:port as service for tokens IPEndPoint addr = NetUtils.CreateSocketAddrForHost(nodeId.GetHost(), nodeId.GetPort ()); // NOTE: use SecurityUtil.setTokenService if this becomes a "real" token Token containerToken = NewToken <Token>(tokenIdentifier.GetBytes(), ContainerTokenIdentifier .Kind.ToString(), password, SecurityUtil.BuildTokenService(addr).ToString()); return(containerToken); }
/// <exception cref="System.IO.IOException"/> private ContainerTokenIdentifier GetContainerTokenIdentifierFromToken(Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken) { ContainerTokenIdentifier containerTokenIdentifier; containerTokenIdentifier = new ContainerTokenIdentifier(); byte[] tokenIdentifierContent = ((byte[])containerToken.GetIdentifier().Array()); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); containerTokenIdentifier.ReadFields(dib); return(containerTokenIdentifier); }
/// <exception cref="System.IO.IOException"/> public static Token CreateContainerToken(ContainerId cId, long rmIdentifier, NodeId nodeId, string user, NMContainerTokenSecretManager containerTokenSecretManager, LogAggregationContext logAggregationContext) { Resource r = BuilderUtils.NewResource(1024, 1); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( cId, nodeId.ToString(), user, r, Runtime.CurrentTimeMillis() + 100000L, 123, rmIdentifier , Priority.NewInstance(0), 0, logAggregationContext); Token containerToken = BuilderUtils.NewContainerToken(nodeId, containerTokenSecretManager .RetrievePassword(containerTokenIdentifier), containerTokenIdentifier); return(containerToken); }
/// <exception cref="System.IO.IOException"/> private static ContainerTokenIdentifier CreateContainerTokenId(ContainerId cid, NodeId nodeId, string user, NMContainerTokenSecretManager secretMgr) { long rmid = cid.GetApplicationAttemptId().GetApplicationId().GetClusterTimestamp( ); ContainerTokenIdentifier ctid = new ContainerTokenIdentifier(cid, nodeId.ToString (), user, BuilderUtils.NewResource(1024, 1), Runtime.CurrentTimeMillis() + 100000L , secretMgr.GetCurrentKey().GetKeyId(), rmid, Priority.NewInstance(0), 0); Org.Apache.Hadoop.Yarn.Api.Records.Token token = BuilderUtils.NewContainerToken(nodeId , secretMgr.CreatePassword(ctid), ctid); return(BuilderUtils.NewContainerTokenIdentifier(token)); }
/// <exception cref="System.IO.IOException"/> public MockContainer(ApplicationAttemptId appAttemptId, Dispatcher dispatcher, Configuration conf, string user, ApplicationId appId, int uniqId) { this.user = user; this.recordFactory = RecordFactoryProvider.GetRecordFactory(conf); this.id = BuilderUtils.NewContainerId(recordFactory, appId, appAttemptId, uniqId); this.launchContext = recordFactory.NewRecordInstance <ContainerLaunchContext>(); long currentTime = Runtime.CurrentTimeMillis(); this.containerTokenIdentifier = BuilderUtils.NewContainerTokenIdentifier(BuilderUtils .NewContainerToken(id, "127.0.0.1", 1234, user, BuilderUtils.NewResource(1024, 1 ), currentTime + 10000, 123, Sharpen.Runtime.GetBytesForString("password"), currentTime )); this.state = ContainerState.New; }
public virtual void TestAppFinishedOnCompletedContainers() { TestApplication.WrappedApplication wa = null; try { wa = new TestApplication.WrappedApplication(this, 5, 314159265358979L, "yak", 3); wa.InitApplication(); wa.InitContainer(-1); NUnit.Framework.Assert.AreEqual(ApplicationState.Initing, wa.app.GetApplicationState ()); wa.ApplicationInited(); NUnit.Framework.Assert.AreEqual(ApplicationState.Running, wa.app.GetApplicationState ()); Org.Mockito.Mockito.Reset(wa.localizerBus); wa.ContainerFinished(0); wa.ContainerFinished(1); wa.ContainerFinished(2); NUnit.Framework.Assert.AreEqual(ApplicationState.Running, wa.app.GetApplicationState ()); NUnit.Framework.Assert.AreEqual(0, wa.app.GetContainers().Count); wa.AppFinished(); NUnit.Framework.Assert.AreEqual(ApplicationState.ApplicationResourcesCleaningup, wa.app.GetApplicationState()); Org.Mockito.Mockito.Verify(wa.localizerBus).Handle(Matchers.RefEq(new ApplicationLocalizationEvent (LocalizationEventType.DestroyApplicationResources, wa.app))); wa.AppResourcesCleanedup(); foreach (Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container in wa.containers) { ContainerTokenIdentifier identifier = wa.GetContainerTokenIdentifier(container.GetContainerId ()); WaitForContainerTokenToExpire(identifier); NUnit.Framework.Assert.IsTrue(wa.context.GetContainerTokenSecretManager().IsValidStartContainerRequest (identifier)); } NUnit.Framework.Assert.AreEqual(ApplicationState.Finished, wa.app.GetApplicationState ()); } finally { if (wa != null) { wa.Finished(); } } }
protected internal virtual ContainerTokenIdentifier WaitForContainerTokenToExpire (ContainerTokenIdentifier identifier) { int attempts = 5; while (Runtime.CurrentTimeMillis() < identifier.GetExpiryTimeStamp() && attempts-- > 0) { try { Sharpen.Thread.Sleep(1000); } catch (Exception) { } } return(identifier); }
/// <summary> /// Container will be remembered based on expiration time of the container /// token used for starting the container. /// </summary> /// <remarks> /// Container will be remembered based on expiration time of the container /// token used for starting the container. It is safe to use expiration time /// as there is one to many mapping between expiration time and containerId. /// </remarks> /// <returns>true if the current token identifier is not present in cache.</returns> public virtual bool IsValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier ) { lock (this) { RemoveAnyContainerTokenIfExpired(); long expTime = containerTokenIdentifier.GetExpiryTimeStamp(); IList <ContainerId> containers = this.recentlyStartedContainerTracker[expTime]; if (containers == null || !containers.Contains(containerTokenIdentifier.GetContainerID ())) { return(true); } else { return(false); } } }
public ContainerTokenIdentifierForTest(ContainerTokenIdentifier identifier, string message) { YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.Builder builder = YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto.NewBuilder(); ContainerIdPBImpl containerID = (ContainerIdPBImpl)identifier.GetContainerID(); if (containerID != null) { builder.SetContainerId(containerID.GetProto()); } builder.SetNmHostAddr(identifier.GetNmHostAddress()); builder.SetAppSubmitter(identifier.GetApplicationSubmitter()); ResourcePBImpl resource = (ResourcePBImpl)identifier.GetResource(); if (resource != null) { builder.SetResource(resource.GetProto()); } builder.SetExpiryTimeStamp(identifier.GetExpiryTimeStamp()); builder.SetMasterKeyId(identifier.GetMasterKeyId()); builder.SetRmIdentifier(identifier.GetRMIdentifier()); PriorityPBImpl priority = (PriorityPBImpl)identifier.GetPriority(); if (priority != null) { builder.SetPriority(priority.GetProto()); } builder.SetCreationTime(identifier.GetCreationTime()); builder.SetMessage(message); LogAggregationContextPBImpl logAggregationContext = (LogAggregationContextPBImpl) identifier.GetLogAggregationContext(); if (logAggregationContext != null) { builder.SetLogAggregationContext(logAggregationContext.GetProto()); } proto = ((YarnSecurityTestTokenProtos.ContainerTokenIdentifierForTestProto)builder .Build()); }
/// <summary> /// Override of this is to validate ContainerTokens generated by using /// different /// <see cref="Org.Apache.Hadoop.Yarn.Server.Api.Records.MasterKey"/> /// s. /// </summary> /// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/> public override byte[] RetrievePassword(ContainerTokenIdentifier identifier) { lock (this) { int keyId = identifier.GetMasterKeyId(); MasterKeyData masterKeyToUse = null; if (this.previousMasterKey != null && keyId == this.previousMasterKey.GetMasterKey ().GetKeyId()) { // A container-launch has come in with a token generated off the last // master-key masterKeyToUse = this.previousMasterKey; } else { if (keyId == base.currentMasterKey.GetMasterKey().GetKeyId()) { // A container-launch has come in with a token generated off the current // master-key masterKeyToUse = base.currentMasterKey; } } if (nodeHostAddr != null && !identifier.GetNmHostAddress().Equals(nodeHostAddr)) { // Valid container token used for incorrect node. throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID ().ToString() + " identifier is not valid for current Node manager. Expected : " + nodeHostAddr + " Found : " + identifier.GetNmHostAddress()); } if (masterKeyToUse != null) { return(RetrievePasswordInternal(identifier, masterKeyToUse)); } // Invalid request. Like startContainer() with token generated off // old-master-keys. throw new SecretManager.InvalidToken("Given Container " + identifier.GetContainerID ().ToString() + " seems to have an illegally generated token."); } }
/// <summary>Container start has gone through.</summary> /// <remarks> /// Container start has gone through. We need to store the containerId in order /// to block future container start requests with same container token. This /// container token needs to be saved till its container token expires. /// </remarks> public virtual void StartContainerSuccessful(ContainerTokenIdentifier tokenId) { lock (this) { RemoveAnyContainerTokenIfExpired(); ContainerId containerId = tokenId.GetContainerID(); long expTime = tokenId.GetExpiryTimeStamp(); // We might have multiple containers with same expiration time. if (!recentlyStartedContainerTracker.Contains(expTime)) { recentlyStartedContainerTracker[expTime] = new AList <ContainerId>(); } recentlyStartedContainerTracker[expTime].AddItem(containerId); try { stateStore.StoreContainerToken(containerId, expTime); } catch (IOException e) { Log.Error("Unable to store token for container " + containerId, e); } } }
public virtual void Handle(ContainerAllocatorEvent @event) { ContainerId cId = ContainerId.NewContainerId(this._enclosing.GetContext().GetApplicationAttemptId (), this.containerCount++); NodeId nodeId = NodeId.NewInstance(MRApp.NmHost, MRApp.NmPort); Resource resource = Resource.NewInstance(1234, 2); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( cId, nodeId.ToString(), "user", resource, Runtime.CurrentTimeMillis() + 10000, 42 , 42, Priority.NewInstance(0), 0); Token containerToken = MRApp.NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString ("password"), containerTokenIdentifier); Container container = Container.NewInstance(cId, nodeId, MRApp.NmHost + ":" + MRApp .NmHttpPort, resource, null, containerToken); JobID id = TypeConverter.FromYarn(MRApp.applicationId); JobId jobId = TypeConverter.ToYarn(id); this._enclosing.GetContext().GetEventHandler().Handle(new JobHistoryEvent(jobId, new NormalizedResourceEvent(TaskType.Reduce, 100))); this._enclosing.GetContext().GetEventHandler().Handle(new JobHistoryEvent(jobId, new NormalizedResourceEvent(TaskType.Map, 100))); this._enclosing.GetContext().GetEventHandler().Handle(new TaskAttemptContainerAssignedEvent (@event.GetAttemptID(), container, null)); }
/// <exception cref="System.Exception"/> public virtual void TestRMIdentifierOnContainerAllocation() { MockRM rm = new MockRM(conf); rm.Start(); // Register node1 MockNM nm1 = rm.RegisterNode("127.0.0.1:1234", 6 * Gb); // Submit an application RMApp app1 = rm.SubmitApp(2048); // kick the scheduling nm1.NodeHeartbeat(true); RMAppAttempt attempt1 = app1.GetCurrentAppAttempt(); MockAM am1 = rm.SendAMLaunched(attempt1.GetAppAttemptId()); am1.RegisterAppAttempt(); am1.AddRequests(new string[] { "127.0.0.1" }, Gb, 1, 1); AllocateResponse alloc1Response = am1.Schedule(); // send the request // kick the scheduler nm1.NodeHeartbeat(true); while (alloc1Response.GetAllocatedContainers().Count < 1) { Log.Info("Waiting for containers to be created for app 1..."); Sharpen.Thread.Sleep(1000); alloc1Response = am1.Schedule(); } // assert RMIdentifer is set properly in allocated containers Container allocatedContainer = alloc1Response.GetAllocatedContainers()[0]; ContainerTokenIdentifier tokenId = BuilderUtils.NewContainerTokenIdentifier(allocatedContainer .GetContainerToken()); NUnit.Framework.Assert.AreEqual(MockRM.GetClusterTimeStamp(), tokenId.GetRMIdentifier ()); rm.Stop(); }
/// <summary>Helper function for creating ContainerTokens</summary> /// <param name="containerId"/> /// <param name="nodeId"/> /// <param name="appSubmitter"/> /// <param name="capability"/> /// <param name="priority"/> /// <param name="createTime"/> /// <param name="logAggregationContext"/> /// <returns>the container-token</returns> public virtual Token CreateContainerToken(ContainerId containerId, NodeId nodeId, string appSubmitter, Resource capability, Priority priority, long createTime, LogAggregationContext logAggregationContext) { byte[] password; ContainerTokenIdentifier tokenIdentifier; long expiryTimeStamp = Runtime.CurrentTimeMillis() + containerTokenExpiryInterval; // Lock so that we use the same MasterKey's keyId and its bytes this.readLock.Lock(); try { tokenIdentifier = new ContainerTokenIdentifier(containerId, nodeId.ToString(), appSubmitter , capability, expiryTimeStamp, this.currentMasterKey.GetMasterKey().GetKeyId(), ResourceManager.GetClusterTimeStamp(), priority, createTime, logAggregationContext ); password = this.CreatePassword(tokenIdentifier); } finally { this.readLock.Unlock(); } return(BuilderUtils.NewContainerToken(nodeId, password, tokenIdentifier)); }
public virtual void TestRecovery() { YarnConfiguration conf = new YarnConfiguration(); conf.SetBoolean(YarnConfiguration.NmRecoveryEnabled, true); NodeId nodeId = NodeId.NewInstance("somehost", 1234); ContainerId cid1 = BuilderUtils.NewContainerId(1, 1, 1, 1); ContainerId cid2 = BuilderUtils.NewContainerId(2, 2, 2, 2); TestNMContainerTokenSecretManager.ContainerTokenKeyGeneratorForTest keygen = new TestNMContainerTokenSecretManager.ContainerTokenKeyGeneratorForTest(conf); NMMemoryStateStoreService stateStore = new NMMemoryStateStoreService(); stateStore.Init(conf); stateStore.Start(); NMContainerTokenSecretManager secretMgr = new NMContainerTokenSecretManager(conf, stateStore); secretMgr.SetNodeId(nodeId); MasterKey currentKey = keygen.GenerateKey(); secretMgr.SetMasterKey(currentKey); ContainerTokenIdentifier tokenId1 = CreateContainerTokenId(cid1, nodeId, "user1", secretMgr); ContainerTokenIdentifier tokenId2 = CreateContainerTokenId(cid2, nodeId, "user2", secretMgr); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1)); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2)); // restart and verify tokens still valid secretMgr = new NMContainerTokenSecretManager(conf, stateStore); secretMgr.SetNodeId(nodeId); secretMgr.Recover(); NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey()); NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1)); NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId2)); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1)); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2)); // roll master key and start a container secretMgr.StartContainerSuccessful(tokenId2); currentKey = keygen.GenerateKey(); secretMgr.SetMasterKey(currentKey); // restart and verify tokens still valid due to prev key persist secretMgr = new NMContainerTokenSecretManager(conf, stateStore); secretMgr.SetNodeId(nodeId); secretMgr.Recover(); NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey()); NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1)); NUnit.Framework.Assert.IsFalse(secretMgr.IsValidStartContainerRequest(tokenId2)); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId1)); NUnit.Framework.Assert.IsNotNull(secretMgr.RetrievePassword(tokenId2)); // roll master key again, restart, and verify keys no longer valid currentKey = keygen.GenerateKey(); secretMgr.SetMasterKey(currentKey); secretMgr = new NMContainerTokenSecretManager(conf, stateStore); secretMgr.SetNodeId(nodeId); secretMgr.Recover(); NUnit.Framework.Assert.AreEqual(currentKey, secretMgr.GetCurrentKey()); NUnit.Framework.Assert.IsTrue(secretMgr.IsValidStartContainerRequest(tokenId1)); NUnit.Framework.Assert.IsFalse(secretMgr.IsValidStartContainerRequest(tokenId2)); try { secretMgr.RetrievePassword(tokenId1); NUnit.Framework.Assert.Fail("token should not be valid"); } catch (SecretManager.InvalidToken) { } // expected try { secretMgr.RetrievePassword(tokenId2); NUnit.Framework.Assert.Fail("token should not be valid"); } catch (SecretManager.InvalidToken) { } // expected stateStore.Close(); }
// do nothing /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> protected internal override void AuthorizeStartRequest(NMTokenIdentifier nmTokenIdentifier , ContainerTokenIdentifier containerTokenIdentifier) { }
public virtual void TestContainerKillOnMemoryOverflow() { if (!ProcfsBasedProcessTree.IsAvailable()) { return; } containerManager.Start(); FilePath scriptFile = new FilePath(tmpDir, "scriptFile.sh"); PrintWriter fileWriter = new PrintWriter(scriptFile); FilePath processStartFile = new FilePath(tmpDir, "start_file.txt").GetAbsoluteFile (); fileWriter.Write("\numask 0"); // So that start file is readable by the // test. fileWriter.Write("\necho Hello World! > " + processStartFile); fileWriter.Write("\necho $$ >> " + processStartFile); fileWriter.Write("\nsleep 15"); fileWriter.Close(); ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext >(); // ////// Construct the Container-id ApplicationId appId = ApplicationId.NewInstance(0, 0); ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 1); ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0); int port = 12345; URL resource_alpha = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new Path(scriptFile.GetAbsolutePath()))); LocalResource rsrc_alpha = recordFactory.NewRecordInstance <LocalResource>(); rsrc_alpha.SetResource(resource_alpha); rsrc_alpha.SetSize(-1); rsrc_alpha.SetVisibility(LocalResourceVisibility.Application); rsrc_alpha.SetType(LocalResourceType.File); rsrc_alpha.SetTimestamp(scriptFile.LastModified()); string destinationFile = "dest_file"; IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource >(); localResources[destinationFile] = rsrc_alpha; containerLaunchContext.SetLocalResources(localResources); IList <string> commands = new AList <string>(); commands.AddItem("/bin/bash"); commands.AddItem(scriptFile.GetAbsolutePath()); containerLaunchContext.SetCommands(commands); Resource r = BuilderUtils.NewResource(8 * 1024 * 1024, 1); ContainerTokenIdentifier containerIdentifier = new ContainerTokenIdentifier(cId, context.GetNodeId().ToString(), user, r, Runtime.CurrentTimeMillis() + 120000, 123 , DummyRmIdentifier, Priority.NewInstance(0), 0); Token containerToken = BuilderUtils.NewContainerToken(context.GetNodeId(), containerManager .GetContext().GetContainerTokenSecretManager().CreatePassword(containerIdentifier ), containerIdentifier); StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext , containerToken); IList <StartContainerRequest> list = new AList <StartContainerRequest>(); list.AddItem(scRequest); StartContainersRequest allRequests = StartContainersRequest.NewInstance(list); containerManager.StartContainers(allRequests); int timeoutSecs = 0; while (!processStartFile.Exists() && timeoutSecs++ < 20) { Sharpen.Thread.Sleep(1000); Log.Info("Waiting for process start-file to be created"); } NUnit.Framework.Assert.IsTrue("ProcessStartFile doesn't exist!", processStartFile .Exists()); // Now verify the contents of the file BufferedReader reader = new BufferedReader(new FileReader(processStartFile)); NUnit.Framework.Assert.AreEqual("Hello World!", reader.ReadLine()); // Get the pid of the process string pid = reader.ReadLine().Trim(); // No more lines NUnit.Framework.Assert.AreEqual(null, reader.ReadLine()); BaseContainerManagerTest.WaitForContainerState(containerManager, cId, ContainerState .Complete, 60); IList <ContainerId> containerIds = new AList <ContainerId>(); containerIds.AddItem(cId); GetContainerStatusesRequest gcsRequest = GetContainerStatusesRequest.NewInstance( containerIds); ContainerStatus containerStatus = containerManager.GetContainerStatuses(gcsRequest ).GetContainerStatuses()[0]; NUnit.Framework.Assert.AreEqual(ContainerExitStatus.KilledExceededVmem, containerStatus .GetExitStatus()); string expectedMsgPattern = "Container \\[pid=" + pid + ",containerID=" + cId + "\\] is running beyond virtual memory limits. Current usage: " + "[0-9.]+ ?[KMGTPE]?B of [0-9.]+ ?[KMGTPE]?B physical memory used; " + "[0-9.]+ ?[KMGTPE]?B of [0-9.]+ ?[KMGTPE]?B virtual memory used. " + "Killing container.\nDump of the process-tree for " + cId + " :\n"; Sharpen.Pattern pat = Sharpen.Pattern.Compile(expectedMsgPattern); NUnit.Framework.Assert.AreEqual("Expected message pattern is: " + expectedMsgPattern + "\n\nObserved message is: " + containerStatus.GetDiagnostics(), true, pat.Matcher (containerStatus.GetDiagnostics()).Find()); // Assert that the process is not alive anymore NUnit.Framework.Assert.IsFalse("Process is still alive!", exec.SignalContainer(user , pid, ContainerExecutor.Signal.Null)); }
/// <exception cref="System.Exception"/> private void Test(string rpcClass) { Configuration conf = new Configuration(); conf.Set(YarnConfiguration.IpcRpcImpl, rpcClass); YarnRPC rpc = YarnRPC.Create(conf); string bindAddr = "localhost:0"; IPEndPoint addr = NetUtils.CreateSocketAddr(bindAddr); Server server = rpc.GetServer(typeof(ContainerManagementProtocol), new TestRPC.DummyContainerManager (this), addr, conf, null, 1); server.Start(); RPC.SetProtocolEngine(conf, typeof(ContainerManagementProtocolPB), typeof(ProtobufRpcEngine )); ContainerManagementProtocol proxy = (ContainerManagementProtocol)rpc.GetProxy(typeof( ContainerManagementProtocol), NetUtils.GetConnectAddress(server), conf); ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext >(); ApplicationId applicationId = ApplicationId.NewInstance(0, 0); ApplicationAttemptId applicationAttemptId = ApplicationAttemptId.NewInstance(applicationId , 0); ContainerId containerId = ContainerId.NewContainerId(applicationAttemptId, 100); NodeId nodeId = NodeId.NewInstance("localhost", 1234); Resource resource = Resource.NewInstance(1234, 2); ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier( containerId, "localhost", "user", resource, Runtime.CurrentTimeMillis() + 10000, 42, 42, Priority.NewInstance(0), 0); Token containerToken = NewContainerToken(nodeId, Sharpen.Runtime.GetBytesForString ("password"), containerTokenIdentifier); StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext , containerToken); IList <StartContainerRequest> list = new AList <StartContainerRequest>(); list.AddItem(scRequest); StartContainersRequest allRequests = StartContainersRequest.NewInstance(list); proxy.StartContainers(allRequests); IList <ContainerId> containerIds = new AList <ContainerId>(); containerIds.AddItem(containerId); GetContainerStatusesRequest gcsRequest = GetContainerStatusesRequest.NewInstance( containerIds); GetContainerStatusesResponse response = proxy.GetContainerStatuses(gcsRequest); IList <ContainerStatus> statuses = response.GetContainerStatuses(); //test remote exception bool exception = false; try { StopContainersRequest stopRequest = recordFactory.NewRecordInstance <StopContainersRequest >(); stopRequest.SetContainerIds(containerIds); proxy.StopContainers(stopRequest); } catch (YarnException e) { exception = true; NUnit.Framework.Assert.IsTrue(e.Message.Contains(ExceptionMsg)); NUnit.Framework.Assert.IsTrue(e.Message.Contains(ExceptionCause)); System.Console.Out.WriteLine("Test Exception is " + e.Message); } catch (Exception ex) { Sharpen.Runtime.PrintStackTrace(ex); } NUnit.Framework.Assert.IsTrue(exception); server.Stop(); NUnit.Framework.Assert.IsNotNull(statuses[0]); NUnit.Framework.Assert.AreEqual(ContainerState.Running, statuses[0].GetState()); }
public virtual void TestAuxEventDispatch() { Configuration conf = new Configuration(); conf.SetStrings(YarnConfiguration.NmAuxServices, new string[] { "Asrv", "Bsrv" }); conf.SetClass(string.Format(YarnConfiguration.NmAuxServiceFmt, "Asrv"), typeof(TestAuxServices.ServiceA ), typeof(Org.Apache.Hadoop.Service.Service)); conf.SetClass(string.Format(YarnConfiguration.NmAuxServiceFmt, "Bsrv"), typeof(TestAuxServices.ServiceB ), typeof(Org.Apache.Hadoop.Service.Service)); conf.SetInt("A.expected.init", 1); conf.SetInt("B.expected.stop", 1); AuxServices aux = new AuxServices(); aux.Init(conf); aux.Start(); ApplicationId appId1 = ApplicationId.NewInstance(0, 65); ByteBuffer buf = ByteBuffer.Allocate(6); buf.PutChar('A'); buf.PutInt(65); buf.Flip(); AuxServicesEvent @event = new AuxServicesEvent(AuxServicesEventType.ApplicationInit , "user0", appId1, "Asrv", buf); aux.Handle(@event); ApplicationId appId2 = ApplicationId.NewInstance(0, 66); @event = new AuxServicesEvent(AuxServicesEventType.ApplicationStop, "user0", appId2 , "Bsrv", null); // verify all services got the stop event aux.Handle(@event); ICollection <AuxiliaryService> servs = aux.GetServices(); foreach (AuxiliaryService serv in servs) { AList <int> appIds = ((TestAuxServices.LightService)serv).GetAppIdsStopped(); NUnit.Framework.Assert.AreEqual("app not properly stopped", 1, appIds.Count); NUnit.Framework.Assert.IsTrue("wrong app stopped", appIds.Contains((int)66)); } foreach (AuxiliaryService serv_1 in servs) { NUnit.Framework.Assert.IsNull(((TestAuxServices.LightService)serv_1).containerId); NUnit.Framework.Assert.IsNull(((TestAuxServices.LightService)serv_1).resource); } ApplicationAttemptId attemptId = ApplicationAttemptId.NewInstance(appId1, 1); ContainerTokenIdentifier cti = new ContainerTokenIdentifier(ContainerId.NewContainerId (attemptId, 1), string.Empty, string.Empty, Resource.NewInstance(1, 1), 0, 0, 0, Priority.NewInstance(0), 0); Org.Apache.Hadoop.Yarn.Server.Nodemanager.Containermanager.Container.Container container = new ContainerImpl(null, null, null, null, null, null, cti); ContainerId containerId = container.GetContainerId(); Resource resource = container.GetResource(); @event = new AuxServicesEvent(AuxServicesEventType.ContainerInit, container); aux.Handle(@event); foreach (AuxiliaryService serv_2 in servs) { NUnit.Framework.Assert.AreEqual(containerId, ((TestAuxServices.LightService)serv_2 ).containerId); NUnit.Framework.Assert.AreEqual(resource, ((TestAuxServices.LightService)serv_2). resource); ((TestAuxServices.LightService)serv_2).containerId = null; ((TestAuxServices.LightService)serv_2).resource = null; } @event = new AuxServicesEvent(AuxServicesEventType.ContainerStop, container); aux.Handle(@event); foreach (AuxiliaryService serv_3 in servs) { NUnit.Framework.Assert.AreEqual(containerId, ((TestAuxServices.LightService)serv_3 ).containerId); NUnit.Framework.Assert.AreEqual(resource, ((TestAuxServices.LightService)serv_3). resource); } }
/// <exception cref="System.Exception"/> private void TestNMTokens(Configuration conf) { NMTokenSecretManagerInRM nmTokenSecretManagerRM = yarnCluster.GetResourceManager( ).GetRMContext().GetNMTokenSecretManager(); NMTokenSecretManagerInNM nmTokenSecretManagerNM = yarnCluster.GetNodeManager(0).GetNMContext ().GetNMTokenSecretManager(); RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager ().GetRMContext().GetContainerTokenSecretManager(); NodeManager nm = yarnCluster.GetNodeManager(0); WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerNM, nm); // Both id should be equal. NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerNM.GetCurrentKey().GetKeyId() , nmTokenSecretManagerRM.GetCurrentKey().GetKeyId()); /* * Below cases should be tested. * 1) If Invalid NMToken is used then it should be rejected. * 2) If valid NMToken but belonging to another Node is used then that * too should be rejected. * 3) NMToken for say appAttempt-1 is used for starting/stopping/retrieving * status for container with containerId for say appAttempt-2 should * be rejected. * 4) After start container call is successful nmtoken should have been * saved in NMTokenSecretManagerInNM. * 5) If start container call was successful (no matter if container is * still running or not), appAttempt->NMToken should be present in * NMTokenSecretManagerInNM's cache. Any future getContainerStatus call * for containerId belonging to that application attempt using * applicationAttempt's older nmToken should not get any invalid * nmToken error. (This can be best tested if we roll over NMToken * master key twice). */ YarnRPC rpc = YarnRPC.Create(conf); string user = "******"; Resource r = Resource.NewInstance(1024, 1); ApplicationId appId = ApplicationId.NewInstance(1, 1); ApplicationAttemptId validAppAttemptId = ApplicationAttemptId.NewInstance(appId, 1); ContainerId validContainerId = ContainerId.NewContainerId(validAppAttemptId, 0); NodeId validNode = yarnCluster.GetNodeManager(0).GetNMContext().GetNodeId(); NodeId invalidNode = NodeId.NewInstance("InvalidHost", 1234); Token validNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode , user); Token validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId , validNode, user, r, Priority.NewInstance(10), 1234); ContainerTokenIdentifier identifier = BuilderUtils.NewContainerTokenIdentifier(validContainerToken ); NUnit.Framework.Assert.AreEqual(Priority.NewInstance(10), identifier.GetPriority( )); NUnit.Framework.Assert.AreEqual(1234, identifier.GetCreationTime()); StringBuilder sb; // testInvalidNMToken ... creating NMToken using different secret manager. NMTokenSecretManagerInRM tempManager = new NMTokenSecretManagerInRM(conf); tempManager.RollMasterKey(); do { tempManager.RollMasterKey(); tempManager.ActivateNextMasterKey(); }while (tempManager.GetCurrentKey().GetKeyId() == nmTokenSecretManagerRM.GetCurrentKey ().GetKeyId()); // Making sure key id is different. // Testing that NM rejects the requests when we don't send any token. if (UserGroupInformation.IsSecurityEnabled()) { sb = new StringBuilder("Client cannot authenticate via:[TOKEN]"); } else { sb = new StringBuilder("SIMPLE authentication is not enabled. Available:[TOKEN]" ); } string errorMsg = TestStartContainer(rpc, validAppAttemptId, validNode, validContainerToken , null, true); NUnit.Framework.Assert.IsTrue(errorMsg.Contains(sb.ToString())); Token invalidNMToken = tempManager.CreateNMToken(validAppAttemptId, validNode, user ); sb = new StringBuilder("Given NMToken for application : "); sb.Append(validAppAttemptId.ToString()).Append(" seems to have been generated illegally." ); NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId , validNode, validContainerToken, invalidNMToken, true))); // valid NMToken but belonging to other node invalidNMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, invalidNode , user); sb = new StringBuilder("Given NMToken for application : "); sb.Append(validAppAttemptId).Append(" is not valid for current node manager.expected : " ).Append(validNode.ToString()).Append(" found : ").Append(invalidNode.ToString() ); NUnit.Framework.Assert.IsTrue(sb.ToString().Contains(TestStartContainer(rpc, validAppAttemptId , validNode, validContainerToken, invalidNMToken, true))); // using correct tokens. nmtoken for app attempt should get saved. conf.SetInt(YarnConfiguration.RmContainerAllocExpiryIntervalMs, 4 * 60 * 1000); validContainerToken = containerTokenSecretManager.CreateContainerToken(validContainerId , validNode, user, r, Priority.NewInstance(0), 0); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode , validContainerToken, validNMToken, false).IsEmpty()); NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent (validAppAttemptId)); // using a new compatible version nmtoken, expect container can be started // successfully. ApplicationAttemptId validAppAttemptId2 = ApplicationAttemptId.NewInstance(appId, 2); ContainerId validContainerId2 = ContainerId.NewContainerId(validAppAttemptId2, 0); Token validContainerToken2 = containerTokenSecretManager.CreateContainerToken(validContainerId2 , validNode, user, r, Priority.NewInstance(0), 0); Token validNMToken2 = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId2, validNode , user); // First, get a new NMTokenIdentifier. NMTokenIdentifier newIdentifier = new NMTokenIdentifier(); byte[] tokenIdentifierContent = ((byte[])validNMToken2.GetIdentifier().Array()); DataInputBuffer dib = new DataInputBuffer(); dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length); newIdentifier.ReadFields(dib); // Then, generate a new version NMTokenIdentifier (NMTokenIdentifierNewForTest) // with additional field of message. NMTokenIdentifierNewForTest newVersionIdentifier = new NMTokenIdentifierNewForTest (newIdentifier, "message"); // check new version NMTokenIdentifier has correct info. NUnit.Framework.Assert.AreEqual("The ApplicationAttemptId is changed after set to " + "newVersionIdentifier", validAppAttemptId2.GetAttemptId(), newVersionIdentifier .GetApplicationAttemptId().GetAttemptId()); NUnit.Framework.Assert.AreEqual("The message is changed after set to newVersionIdentifier" , "message", newVersionIdentifier.GetMessage()); NUnit.Framework.Assert.AreEqual("The NodeId is changed after set to newVersionIdentifier" , validNode, newVersionIdentifier.GetNodeId()); // create new Token based on new version NMTokenIdentifier. Token newVersionedNMToken = BaseNMTokenSecretManager.NewInstance(nmTokenSecretManagerRM .RetrievePassword(newVersionIdentifier), newVersionIdentifier); // Verify startContainer is successful and no exception is thrown. NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId2, validNode , validContainerToken2, newVersionedNMToken, false).IsEmpty()); NUnit.Framework.Assert.IsTrue(nmTokenSecretManagerNM.IsAppAttemptNMTokenKeyPresent (validAppAttemptId2)); //Now lets wait till container finishes and is removed from node manager. WaitForContainerToFinishOnNM(validContainerId); sb = new StringBuilder("Attempt to relaunch the same container with id "); sb.Append(validContainerId); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, validAppAttemptId, validNode , validContainerToken, validNMToken, true).Contains(sb.ToString())); // Container is removed from node manager's memory by this time. // trying to stop the container. It should not throw any exception. TestStopContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken , false); // Rolling over master key twice so that we can check whether older keys // are used for authentication. RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM); // Key rolled over once.. rolling over again RollNMTokenMasterKey(nmTokenSecretManagerRM, nmTokenSecretManagerNM); // trying get container status. Now saved nmToken should be used for // authentication... It should complain saying container was recently // stopped. sb = new StringBuilder("Container "); sb.Append(validContainerId); sb.Append(" was recently stopped on node manager"); NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken, true).Contains(sb.ToString())); // Now lets remove the container from nm-memory nm.GetNodeStatusUpdater().ClearFinishedContainersFromCache(); // This should fail as container is removed from recently tracked finished // containers. sb = new StringBuilder("Container "); sb.Append(validContainerId.ToString()); sb.Append(" is not handled by this NodeManager"); NUnit.Framework.Assert.IsTrue(TestGetContainer(rpc, validAppAttemptId, validNode, validContainerId, validNMToken, false).Contains(sb.ToString())); // using appAttempt-1 NMtoken for launching container for appAttempt-2 should // succeed. ApplicationAttemptId attempt2 = ApplicationAttemptId.NewInstance(appId, 2); Token attempt1NMToken = nmTokenSecretManagerRM.CreateNMToken(validAppAttemptId, validNode , user); Token newContainerToken = containerTokenSecretManager.CreateContainerToken(ContainerId .NewContainerId(attempt2, 1), validNode, user, r, Priority.NewInstance(0), 0); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, attempt2, validNode, newContainerToken , attempt1NMToken, false).IsEmpty()); }
/// <summary> /// This tests a malice user getting a proper token but then messing with it by /// tampering with containerID/Resource etc.. /// </summary> /// <remarks> /// This tests a malice user getting a proper token but then messing with it by /// tampering with containerID/Resource etc.. His/her containers should be /// rejected. /// </remarks> /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> private void TestContainerToken(Configuration conf) { Log.Info("Running test for malice user"); /* * We need to check for containerToken (authorization). * Here we will be assuming that we have valid NMToken * 1) ContainerToken used is expired. * 2) ContainerToken is tampered (resource is modified). */ NMTokenSecretManagerInRM nmTokenSecretManagerInRM = yarnCluster.GetResourceManager ().GetRMContext().GetNMTokenSecretManager(); ApplicationId appId = ApplicationId.NewInstance(1, 1); ApplicationAttemptId appAttemptId = ApplicationAttemptId.NewInstance(appId, 0); ContainerId cId = ContainerId.NewContainerId(appAttemptId, 0); NodeManager nm = yarnCluster.GetNodeManager(0); NMTokenSecretManagerInNM nmTokenSecretManagerInNM = nm.GetNMContext().GetNMTokenSecretManager (); string user = "******"; WaitForNMToReceiveNMTokenKey(nmTokenSecretManagerInNM, nm); NodeId nodeId = nm.GetNMContext().GetNodeId(); // Both id should be equal. NUnit.Framework.Assert.AreEqual(nmTokenSecretManagerInNM.GetCurrentKey().GetKeyId (), nmTokenSecretManagerInRM.GetCurrentKey().GetKeyId()); RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.GetResourceManager ().GetRMContext().GetContainerTokenSecretManager(); Resource r = Resource.NewInstance(1230, 2); Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken = containerTokenSecretManager .CreateContainerToken(cId, nodeId, user, r, Priority.NewInstance(0), 0); ContainerTokenIdentifier containerTokenIdentifier = GetContainerTokenIdentifierFromToken (containerToken); // Verify new compatible version ContainerTokenIdentifier can work successfully. ContainerTokenIdentifierForTest newVersionTokenIdentifier = new ContainerTokenIdentifierForTest (containerTokenIdentifier, "message"); byte[] password = containerTokenSecretManager.CreatePassword(newVersionTokenIdentifier ); Org.Apache.Hadoop.Yarn.Api.Records.Token newContainerToken = BuilderUtils.NewContainerToken (nodeId, password, newVersionTokenIdentifier); Org.Apache.Hadoop.Yarn.Api.Records.Token nmToken = nmTokenSecretManagerInRM.CreateNMToken (appAttemptId, nodeId, user); YarnRPC rpc = YarnRPC.Create(conf); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, newContainerToken , nmToken, false).IsEmpty()); // Creating a tampered Container Token RMContainerTokenSecretManager tamperedContainerTokenSecretManager = new RMContainerTokenSecretManager (conf); tamperedContainerTokenSecretManager.RollMasterKey(); do { tamperedContainerTokenSecretManager.RollMasterKey(); tamperedContainerTokenSecretManager.ActivateNextMasterKey(); }while (containerTokenSecretManager.GetCurrentKey().GetKeyId() == tamperedContainerTokenSecretManager .GetCurrentKey().GetKeyId()); ContainerId cId2 = ContainerId.NewContainerId(appAttemptId, 1); // Creating modified containerToken Org.Apache.Hadoop.Yarn.Api.Records.Token containerToken2 = tamperedContainerTokenSecretManager .CreateContainerToken(cId2, nodeId, user, r, Priority.NewInstance(0), 0); StringBuilder sb = new StringBuilder("Given Container "); sb.Append(cId2); sb.Append(" seems to have an illegally generated token."); NUnit.Framework.Assert.IsTrue(TestStartContainer(rpc, appAttemptId, nodeId, containerToken2 , nmToken, true).Contains(sb.ToString())); }