/// <exception cref="System.Exception"/>
public virtual void TestHAUtilClonesDelegationTokens()
{
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test");
URI haUri = new URI("hdfs://my-ha-uri/");
token.SetService(HAUtil.BuildTokenServiceForLogicalUri(haUri, HdfsConstants.HdfsUriScheme
));
ugi.AddToken(token);
ICollection <IPEndPoint> nnAddrs = new HashSet <IPEndPoint>();
nnAddrs.AddItem(new IPEndPoint("localhost", nn0.GetNameNodeAddress().Port));
nnAddrs.AddItem(new IPEndPoint("localhost", nn1.GetNameNodeAddress().Port));
HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
ICollection <Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> > tokens = ugi
.GetTokens();
NUnit.Framework.Assert.AreEqual(3, tokens.Count);
Log.Info("Tokens:\n" + Joiner.On("\n").Join(tokens));
DelegationTokenSelector dts = new DelegationTokenSelector();
// check that the token selected for one of the physical IPC addresses
// matches the one we received
foreach (IPEndPoint addr in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNotNull(token2);
Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
}
// switch to host-based tokens, shouldn't match existing tokens
SecurityUtilTestHelper.SetTokenServiceUseIp(false);
foreach (IPEndPoint addr_1 in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr_1);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNull(token2);
}
// reclone the tokens, and see if they match now
HAUtil.CloneDelegationTokenForLogicalUri(ugi, haUri, nnAddrs);
foreach (IPEndPoint addr_2 in nnAddrs)
{
Text ipcDtService = SecurityUtil.BuildTokenService(addr_2);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token2 = dts.SelectToken
(ipcDtService, ugi.GetTokens());
NUnit.Framework.Assert.IsNotNull(token2);
Assert.AssertArrayEquals(token.GetIdentifier(), token2.GetIdentifier());
Assert.AssertArrayEquals(token.GetPassword(), token2.GetPassword());
}
}
/// <summary>Add the job token of a job to cache</summary>
/// <param name="jobId">the job that owns the token</param>
/// <param name="token">the job token</param>
public virtual void AddTokenForJob(string jobId, Org.Apache.Hadoop.Security.Token.Token
<JobTokenIdentifier> token)
{
SecretKey tokenSecret = CreateSecretKey(token.GetPassword());
lock (currentJobTokens)
{
currentJobTokens[jobId] = tokenSecret;
}
}
/// <summary>Renew a delegation token.</summary>
/// <param name="token">the token to renew</param>
/// <param name="renewer">the full principal name of the user doing the renewal</param>
/// <returns>the new expiration time</returns>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken">if the token is invalid
/// </exception>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the user can't renew token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public virtual long RenewToken(Org.Apache.Hadoop.Security.Token.Token <TokenIdent>
token, string renewer)
{
lock (this)
{
ByteArrayInputStream buf = new ByteArrayInputStream(token.GetIdentifier());
DataInputStream @in = new DataInputStream(buf);
TokenIdent id = CreateIdentifier();
id.ReadFields(@in);
Log.Info("Token renewal for identifier: " + id + "; total currentTokens " + currentTokens
.Count);
long now = Time.Now();
if (id.GetMaxDate() < now)
{
throw new SecretManager.InvalidToken(renewer + " tried to renew an expired token"
);
}
if ((id.GetRenewer() == null) || (id.GetRenewer().ToString().IsEmpty()))
{
throw new AccessControlException(renewer + " tried to renew a token without a renewer"
);
}
if (!id.GetRenewer().ToString().Equals(renewer))
{
throw new AccessControlException(renewer + " tries to renew a token with renewer "
+ id.GetRenewer());
}
DelegationKey key = GetDelegationKey(id.GetMasterKeyId());
if (key == null)
{
throw new SecretManager.InvalidToken("Unable to find master key for keyId=" + id.
GetMasterKeyId() + " from cache. Failed to renew an unexpired token" + " with sequenceNumber="
+ id.GetSequenceNumber());
}
byte[] password = CreatePassword(token.GetIdentifier(), key.GetKey());
if (!Arrays.Equals(password, token.GetPassword()))
{
throw new AccessControlException(renewer + " is trying to renew a token with wrong password"
);
}
long renewTime = Math.Min(id.GetMaxDate(), now + tokenRenewInterval);
string trackingId = GetTrackingIdIfEnabled(id);
AbstractDelegationTokenSecretManager.DelegationTokenInformation info = new AbstractDelegationTokenSecretManager.DelegationTokenInformation
(renewTime, password, trackingId);
if (GetTokenInfo(id) == null)
{
throw new SecretManager.InvalidToken("Renewal request for unknown token");
}
UpdateToken(id, info);
return(renewTime);
}
}
public virtual void TestAMRMTokenUpdate()
{
Configuration conf = new Configuration();
ApplicationAttemptId attemptId = ApplicationAttemptId.NewInstance(ApplicationId.NewInstance
(1, 1), 1);
AMRMTokenIdentifier oldTokenId = new AMRMTokenIdentifier(attemptId, 1);
AMRMTokenIdentifier newTokenId = new AMRMTokenIdentifier(attemptId, 2);
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> oldToken = new Org.Apache.Hadoop.Security.Token.Token
<AMRMTokenIdentifier>(oldTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("oldpassword"
), oldTokenId.GetKind(), new Text());
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> newToken = new Org.Apache.Hadoop.Security.Token.Token
<AMRMTokenIdentifier>(newTokenId.GetBytes(), Sharpen.Runtime.GetBytesForString("newpassword"
), newTokenId.GetKind(), new Text());
TestLocalContainerAllocator.MockScheduler scheduler = new TestLocalContainerAllocator.MockScheduler
();
scheduler.amToken = newToken;
LocalContainerAllocator lca = new TestLocalContainerAllocator.StubbedLocalContainerAllocator
(scheduler);
lca.Init(conf);
lca.Start();
UserGroupInformation testUgi = UserGroupInformation.CreateUserForTesting("someuser"
, new string[0]);
testUgi.AddToken(oldToken);
testUgi.DoAs(new _PrivilegedExceptionAction_144(lca));
lca.Close();
// verify there is only one AMRM token in the UGI and it matches the
// updated token from the RM
int tokenCount = 0;
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> ugiToken = null;
foreach (Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> token in testUgi
.GetTokens())
{
if (AMRMTokenIdentifier.KindName.Equals(token.GetKind()))
{
ugiToken = token;
++tokenCount;
}
}
NUnit.Framework.Assert.AreEqual("too many AMRM tokens", 1, tokenCount);
Assert.AssertArrayEquals("token identifier not updated", newToken.GetIdentifier()
, ugiToken.GetIdentifier());
Assert.AssertArrayEquals("token password not updated", newToken.GetPassword(), ugiToken
.GetPassword());
NUnit.Framework.Assert.AreEqual("AMRM token service not updated", new Text(ClientRMProxy
.GetAMRMTokenService(conf)), ugiToken.GetService());
}
/// <summary>Check if access should be allowed.</summary>
/// <remarks>Check if access should be allowed. userID is not checked if null</remarks>
/// <exception cref="Org.Apache.Hadoop.Security.Token.SecretManager.InvalidToken"/>
public virtual void CheckAccess(Org.Apache.Hadoop.Security.Token.Token <BlockTokenIdentifier
> token, string userId, ExtendedBlock block, BlockTokenSecretManager.AccessMode
mode)
{
BlockTokenIdentifier id = new BlockTokenIdentifier();
try
{
id.ReadFields(new DataInputStream(new ByteArrayInputStream(token.GetIdentifier())
));
}
catch (IOException)
{
throw new SecretManager.InvalidToken("Unable to de-serialize block token identifier for user="******", block=" + block + ", access mode=" + mode);
}
CheckAccess(id, userId, block, mode);
if (!Arrays.Equals(RetrievePassword(id), token.GetPassword()))
{
throw new SecretManager.InvalidToken("Block token with " + id.ToString() + " doesn't have the correct token password"
);
}
}
/// <summary>
/// Test if correct exception (StandbyException or RetriableException) can be
/// thrown during the NN failover.
/// </summary>
/// <exception cref="System.Exception"/>
public virtual void TestDelegationTokenDuringNNFailover()
{
EditLogTailer editLogTailer = nn1.GetNamesystem().GetEditLogTailer();
// stop the editLogTailer of nn1
editLogTailer.Stop();
Configuration conf = (Configuration)Whitebox.GetInternalState(editLogTailer, "conf"
);
nn1.GetNamesystem().SetEditLogTailerForTests(new TestDelegationTokensWithHA.EditLogTailerForTest
(this, nn1.GetNamesystem(), conf));
// create token
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = GetDelegationToken
(fs, "JobTracker");
DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
byte[] tokenId = token.GetIdentifier();
identifier.ReadFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
// Ensure that it's present in the nn0 secret manager and can
// be renewed directly from there.
Log.Info("A valid token should have non-null password, " + "and should be renewed successfully"
);
NUnit.Framework.Assert.IsTrue(null != dtSecretManager.RetrievePassword(identifier
));
dtSecretManager.RenewToken(token, "JobTracker");
// transition nn0 to standby
cluster.TransitionToStandby(0);
try
{
cluster.GetNameNodeRpc(0).RenewDelegationToken(token);
NUnit.Framework.Assert.Fail("StandbyException is expected since nn0 is in standby state"
);
}
catch (StandbyException e)
{
GenericTestUtils.AssertExceptionContains(HAServiceProtocol.HAServiceState.Standby
.ToString(), e);
}
new _Thread_220().Start();
Sharpen.Thread.Sleep(1000);
try
{
nn1.GetNamesystem().VerifyToken(token.DecodeIdentifier(), token.GetPassword());
NUnit.Framework.Assert.Fail("RetriableException/StandbyException is expected since nn1 is in transition"
);
}
catch (IOException e)
{
NUnit.Framework.Assert.IsTrue(e is StandbyException || e is RetriableException);
Log.Info("Got expected exception", e);
}
catchup = true;
lock (this)
{
Sharpen.Runtime.NotifyAll(this);
}
Configuration clientConf = dfs.GetConf();
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Renew
);
DoRenewOrCancel(token, clientConf, TestDelegationTokensWithHA.TokenTestAction.Cancel
);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual AllocateResponse Allocate(AllocateRequest request)
{
NUnit.Framework.Assert.AreEqual("response ID mismatch", responseId, request.GetResponseId
());
++responseId;
Org.Apache.Hadoop.Yarn.Api.Records.Token yarnToken = null;
if (amToken != null)
{
yarnToken = Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(amToken.GetIdentifier
(), amToken.GetKind().ToString(), amToken.GetPassword(), amToken.GetService().ToString
());
}
return(AllocateResponse.NewInstance(responseId, Collections.EmptyList <ContainerStatus
>(), Collections.EmptyList <Container>(), Collections.EmptyList <NodeReport>(), Resources
.None(), null, 1, null, Collections.EmptyList <NMToken>(), yarnToken, Collections
.EmptyList <ContainerResourceIncrease>(), Collections.EmptyList <ContainerResourceDecrease
>()));
}
private static Org.Apache.Hadoop.Yarn.Api.Records.Token ConvertToProtoToken <_T0>(
Org.Apache.Hadoop.Security.Token.Token <_T0> token)
where _T0 : TokenIdentifier
{
return(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance(token.GetIdentifier()
, token.GetKind().ToString(), token.GetPassword(), token.GetService().ToString()
));
}
private void VerifyTamperedToken(Configuration conf, TestClientToAMTokens.CustomAM
am, Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token, UserGroupInformation
ugi, ClientToAMTokenIdentifier maliciousID)
{
Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> maliciousToken =
new Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier>(maliciousID
.GetBytes(), token.GetPassword(), token.GetKind(), token.GetService());
ugi.AddToken(maliciousToken);
try
{
ugi.DoAs(new _PrivilegedExceptionAction_338(am, conf));
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(RemoteException).FullName, e.GetType().FullName
);
e = ((RemoteException)e).UnwrapRemoteException();
NUnit.Framework.Assert.AreEqual(typeof(SaslException).GetCanonicalName(), e.GetType
().GetCanonicalName());
NUnit.Framework.Assert.IsTrue(e.Message.Contains("DIGEST-MD5: digest response format violation. "
+ "Mismatched response."));
NUnit.Framework.Assert.IsFalse(am.pinged);
}
}
public SaslClientCallbackHandler(Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier
> token)
{
this.userName = SaslRpcServer.EncodeIdentifier(token.GetIdentifier());
this.userPassword = SaslRpcServer.EncodePassword(token.GetPassword());
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
public override void Cancel <_T0>(Org.Apache.Hadoop.Security.Token.Token <_T0> token
, Configuration conf)
{
Org.Apache.Hadoop.Yarn.Api.Records.Token dToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(token.GetIdentifier(), token.GetKind().ToString(), token.GetPassword
(), token.GetService().ToString());
MRClientProtocol histProxy = InstantiateHistoryProxy(conf, SecurityUtil.GetTokenServiceAddr
(token));
try
{
CancelDelegationTokenRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<CancelDelegationTokenRequest>();
request.SetDelegationToken(dToken);
histProxy.CancelDelegationToken(request);
}
finally
{
StopHistoryProxy(histProxy);
}
}
public virtual void TestDelegationToken()
{
YarnConfiguration conf = new YarnConfiguration();
conf.Set(YarnConfiguration.RmPrincipal, "testuser/[email protected]");
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
ResourceScheduler scheduler = CreateMockScheduler(conf);
long initialInterval = 10000l;
long maxLifetime = 20000l;
long renewInterval = 10000l;
RMDelegationTokenSecretManager rmDtSecretManager = CreateRMDelegationTokenSecretManager
(initialInterval, maxLifetime, renewInterval);
rmDtSecretManager.StartThreads();
Log.Info("Creating DelegationTokenSecretManager with initialInterval: " + initialInterval
+ ", maxLifetime: " + maxLifetime + ", renewInterval: " + renewInterval);
ClientRMService clientRMService = new TestClientRMTokens.ClientRMServiceForTest(this
, conf, scheduler, rmDtSecretManager);
clientRMService.Init(conf);
clientRMService.Start();
ApplicationClientProtocol clientRMWithDT = null;
try
{
// Create a user for the renewr and fake the authentication-method
UserGroupInformation loggedInUser = UserGroupInformation.CreateRemoteUser("*****@*****.**"
);
NUnit.Framework.Assert.AreEqual("testrenewer", loggedInUser.GetShortUserName());
// Default realm is APACHE.ORG
loggedInUser.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
);
Token token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
long tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser1", conf);
GetNewApplicationRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <
GetNewApplicationRequest>();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Renew after 50% of token age.
while (Runtime.CurrentTimeMillis() < tokenFetchTime + initialInterval / 2)
{
Sharpen.Thread.Sleep(500l);
}
long nextExpTime = RenewDelegationToken(loggedInUser, clientRMService, token);
long renewalTime = Runtime.CurrentTimeMillis();
Log.Info("Renewed token at: " + renewalTime + ", NextExpiryTime: " + nextExpTime);
// Wait for first expiry, but before renewed expiry.
while (Runtime.CurrentTimeMillis() > tokenFetchTime + initialInterval && Runtime.
CurrentTimeMillis() < nextExpTime)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
// Valid token because of renewal.
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
// Wait for expiry.
while (Runtime.CurrentTimeMillis() < renewalTime + renewInterval)
{
Sharpen.Thread.Sleep(500l);
}
Sharpen.Thread.Sleep(50l);
Log.Info("At time: " + Runtime.CurrentTimeMillis() + ", token should be invalid");
// Token should have expired.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with an expired token");
}
catch (Exception e)
{
NUnit.Framework.Assert.AreEqual(typeof(SecretManager.InvalidToken).FullName, e.GetType
().FullName);
NUnit.Framework.Assert.IsTrue(e.Message.Contains("is expired"));
}
// Test cancellation
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
tokenFetchTime = Runtime.CurrentTimeMillis();
Log.Info("Got delegation token at: " + tokenFetchTime);
// Now try talking to RMService using the delegation token
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
CancelDelegationToken(loggedInUser, clientRMService, token);
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
// Creating a new connection.
clientRMWithDT = GetClientRMProtocolWithDT(token, clientRMService.GetBindAddress(
), "loginuser2", conf);
Log.Info("Cancelled delegation token at: " + Runtime.CurrentTimeMillis());
// Verify cancellation worked.
try
{
clientRMWithDT.GetNewApplication(request);
NUnit.Framework.Assert.Fail("Should not have succeeded with a cancelled delegation token"
);
}
catch (IOException)
{
}
catch (YarnException)
{
}
// Test new version token
// Stop the existing proxy, start another.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
clientRMWithDT = null;
}
token = GetDelegationToken(loggedInUser, clientRMService, loggedInUser.GetShortUserName
());
byte[] tokenIdentifierContent = ((byte[])token.GetIdentifier().Array());
RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier();
DataInputBuffer dib = new DataInputBuffer();
dib.Reset(tokenIdentifierContent, tokenIdentifierContent.Length);
tokenIdentifier.ReadFields(dib);
// Construct new version RMDelegationTokenIdentifier with additional field
RMDelegationTokenIdentifierForTest newVersionTokenIdentifier = new RMDelegationTokenIdentifierForTest
(tokenIdentifier, "message");
Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier> newRMDTtoken =
new Org.Apache.Hadoop.Security.Token.Token <RMDelegationTokenIdentifier>(newVersionTokenIdentifier
, rmDtSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token newToken = BuilderUtils.NewDelegationToken
(newRMDTtoken.GetIdentifier(), newRMDTtoken.GetKind().ToString(), newRMDTtoken.GetPassword
(), newRMDTtoken.GetService().ToString());
// Now try talking to RMService using the new version delegation token
clientRMWithDT = GetClientRMProtocolWithDT(newToken, clientRMService.GetBindAddress
(), "loginuser3", conf);
request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetNewApplicationRequest>
();
try
{
clientRMWithDT.GetNewApplication(request);
}
catch (IOException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
catch (YarnException e)
{
NUnit.Framework.Assert.Fail("Unexpected exception" + e);
}
}
finally
{
rmDtSecretManager.StopThreads();
// TODO PRECOMMIT Close proxies.
if (clientRMWithDT != null)
{
RPC.StopProxy(clientRMWithDT);
}
}
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual AllocateResponse Allocate(AllocateRequest request)
{
AMRMTokenIdentifier amrmTokenIdentifier = AuthorizeRequest();
ApplicationAttemptId appAttemptId = amrmTokenIdentifier.GetApplicationAttemptId();
ApplicationId applicationId = appAttemptId.GetApplicationId();
this.amLivelinessMonitor.ReceivedPing(appAttemptId);
/* check if its in cache */
ApplicationMasterService.AllocateResponseLock Lock = responseMap[appAttemptId];
if (Lock == null)
{
string message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache.";
Log.Error(message);
throw new ApplicationAttemptNotFoundException(message);
}
lock (Lock)
{
AllocateResponse lastResponse = Lock.GetAllocateResponse();
if (!HasApplicationMasterRegistered(appAttemptId))
{
string message = "AM is not registered for known application attempt: " + appAttemptId
+ " or RM had restarted after AM registered . AM should re-register.";
Log.Info(message);
RMAuditLogger.LogFailure(this.rmContext.GetRMApps()[appAttemptId.GetApplicationId
()].GetUser(), RMAuditLogger.AuditConstants.AmAllocate, string.Empty, "ApplicationMasterService"
, message, applicationId, appAttemptId);
throw new ApplicationMasterNotRegisteredException(message);
}
if ((request.GetResponseId() + 1) == lastResponse.GetResponseId())
{
/* old heartbeat */
return(lastResponse);
}
else
{
if (request.GetResponseId() + 1 < lastResponse.GetResponseId())
{
string message = "Invalid responseId in AllocateRequest from application attempt: "
+ appAttemptId + ", expect responseId to be " + (lastResponse.GetResponseId() +
1);
throw new InvalidApplicationMasterRequestException(message);
}
}
//filter illegal progress values
float filteredProgress = request.GetProgress();
if (float.IsNaN(filteredProgress) || filteredProgress == float.NegativeInfinity ||
filteredProgress < 0)
{
request.SetProgress(0);
}
else
{
if (filteredProgress > 1 || filteredProgress == float.PositiveInfinity)
{
request.SetProgress(1);
}
}
// Send the status update to the appAttempt.
this.rmContext.GetDispatcher().GetEventHandler().Handle(new RMAppAttemptStatusupdateEvent
(appAttemptId, request.GetProgress()));
IList <ResourceRequest> ask = request.GetAskList();
IList <ContainerId> release = request.GetReleaseList();
ResourceBlacklistRequest blacklistRequest = request.GetResourceBlacklistRequest();
IList <string> blacklistAdditions = (blacklistRequest != null) ? blacklistRequest.
GetBlacklistAdditions() : Sharpen.Collections.EmptyList;
IList <string> blacklistRemovals = (blacklistRequest != null) ? blacklistRequest.GetBlacklistRemovals
() : Sharpen.Collections.EmptyList;
RMApp app = this.rmContext.GetRMApps()[applicationId];
// set label expression for Resource Requests if resourceName=ANY
ApplicationSubmissionContext asc = app.GetApplicationSubmissionContext();
foreach (ResourceRequest req in ask)
{
if (null == req.GetNodeLabelExpression() && ResourceRequest.Any.Equals(req.GetResourceName
()))
{
req.SetNodeLabelExpression(asc.GetNodeLabelExpression());
}
}
// sanity check
try
{
RMServerUtils.NormalizeAndValidateRequests(ask, rScheduler.GetMaximumResourceCapability
(), app.GetQueue(), rScheduler, rmContext);
}
catch (InvalidResourceRequestException e)
{
Log.Warn("Invalid resource ask by application " + appAttemptId, e);
throw;
}
try
{
RMServerUtils.ValidateBlacklistRequest(blacklistRequest);
}
catch (InvalidResourceBlacklistRequestException e)
{
Log.Warn("Invalid blacklist request by application " + appAttemptId, e);
throw;
}
// In the case of work-preserving AM restart, it's possible for the
// AM to release containers from the earlier attempt.
if (!app.GetApplicationSubmissionContext().GetKeepContainersAcrossApplicationAttempts
())
{
try
{
RMServerUtils.ValidateContainerReleaseRequest(release, appAttemptId);
}
catch (InvalidContainerReleaseException e)
{
Log.Warn("Invalid container release by application " + appAttemptId, e);
throw;
}
}
// Send new requests to appAttempt.
Allocation allocation = this.rScheduler.Allocate(appAttemptId, ask, release, blacklistAdditions
, blacklistRemovals);
if (!blacklistAdditions.IsEmpty() || !blacklistRemovals.IsEmpty())
{
Log.Info("blacklist are updated in Scheduler." + "blacklistAdditions: " + blacklistAdditions
+ ", " + "blacklistRemovals: " + blacklistRemovals);
}
RMAppAttempt appAttempt = app.GetRMAppAttempt(appAttemptId);
AllocateResponse allocateResponse = recordFactory.NewRecordInstance <AllocateResponse
>();
if (!allocation.GetContainers().IsEmpty())
{
allocateResponse.SetNMTokens(allocation.GetNMTokens());
}
// update the response with the deltas of node status changes
IList <RMNode> updatedNodes = new AList <RMNode>();
if (app.PullRMNodeUpdates(updatedNodes) > 0)
{
IList <NodeReport> updatedNodeReports = new AList <NodeReport>();
foreach (RMNode rmNode in updatedNodes)
{
SchedulerNodeReport schedulerNodeReport = rScheduler.GetNodeReport(rmNode.GetNodeID
());
Resource used = BuilderUtils.NewResource(0, 0);
int numContainers = 0;
if (schedulerNodeReport != null)
{
used = schedulerNodeReport.GetUsedResource();
numContainers = schedulerNodeReport.GetNumContainers();
}
NodeId nodeId = rmNode.GetNodeID();
NodeReport report = BuilderUtils.NewNodeReport(nodeId, rmNode.GetState(), rmNode.
GetHttpAddress(), rmNode.GetRackName(), used, rmNode.GetTotalCapability(), numContainers
, rmNode.GetHealthReport(), rmNode.GetLastHealthReportTime(), rmNode.GetNodeLabels
());
updatedNodeReports.AddItem(report);
}
allocateResponse.SetUpdatedNodes(updatedNodeReports);
}
allocateResponse.SetAllocatedContainers(allocation.GetContainers());
allocateResponse.SetCompletedContainersStatuses(appAttempt.PullJustFinishedContainers
());
allocateResponse.SetResponseId(lastResponse.GetResponseId() + 1);
allocateResponse.SetAvailableResources(allocation.GetResourceLimit());
allocateResponse.SetNumClusterNodes(this.rScheduler.GetNumClusterNodes());
// add preemption to the allocateResponse message (if any)
allocateResponse.SetPreemptionMessage(GeneratePreemptionMessage(allocation));
// update AMRMToken if the token is rolled-up
MasterKeyData nextMasterKey = this.rmContext.GetAMRMTokenSecretManager().GetNextMasterKeyData
();
if (nextMasterKey != null && nextMasterKey.GetMasterKey().GetKeyId() != amrmTokenIdentifier
.GetKeyId())
{
RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl)appAttempt;
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> amrmToken = appAttempt
.GetAMRMToken();
if (nextMasterKey.GetMasterKey().GetKeyId() != appAttemptImpl.GetAMRMTokenKeyId())
{
Log.Info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: "
+ applicationId);
amrmToken = rmContext.GetAMRMTokenSecretManager().CreateAndGetAMRMToken(appAttemptId
);
appAttemptImpl.SetAMRMToken(amrmToken);
}
allocateResponse.SetAMRMToken(Org.Apache.Hadoop.Yarn.Api.Records.Token.NewInstance
(amrmToken.GetIdentifier(), amrmToken.GetKind().ToString(), amrmToken.GetPassword
(), amrmToken.GetService().ToString()));
}
/*
* As we are updating the response inside the lock object so we don't
* need to worry about unregister call occurring in between (which
* removes the lock object).
*/
Lock.SetAllocateResponse(allocateResponse);
return(allocateResponse);
}
}
