/// <exception cref="System.Exception"/> public virtual void TestClientTokenRace() { conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol >(); StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse >(); Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest )Matchers.Any())).ThenReturn(mockResponse); DrainDispatcher dispatcher = new DrainDispatcher(); MockRM rm = new _MockRMWithCustomAMLauncher_433(dispatcher, conf, containerManager ); rm.Start(); // Submit an app RMApp app = rm.SubmitApp(1024); // Set up a node. MockNM nm1 = rm.RegisterNode("localhost:1234", 3072); nm1.NodeHeartbeat(true); dispatcher.Await(); nm1.NodeHeartbeat(true); dispatcher.Await(); ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId(); MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app .GetCurrentAppAttempt().GetAppAttemptId()); UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString ()); RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_469 (mockAM)); // Get the app-report. GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetApplicationReportRequest>(); request.SetApplicationId(app.GetApplicationId()); GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport (request); ApplicationReport appReport = reportResponse.GetApplicationReport(); Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken (); // ClientToAMToken master key should have been received on register // application master response. ByteBuffer clientMasterKey = response.GetClientToAMTokenMasterKey(); NUnit.Framework.Assert.IsNotNull(clientMasterKey); NUnit.Framework.Assert.IsTrue(((byte[])clientMasterKey.Array()).Length > 0); // Start the AM with the correct shared-secret. ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next (); NUnit.Framework.Assert.IsNotNull(appAttemptId); TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId , null); am.Init(conf); am.Start(); // Now the real test! // Set up clients to be able to pick up correct tokens. SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo ()); Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils .ConvertFromYarn(originalClientToAMToken, am.address); // Schedule the key to be set after a significant delay Timer timer = new Timer(); TimerTask timerTask = new _TimerTask_516(am, clientMasterKey); timer.Schedule(timerTask, 250); // connect should pause waiting for the master key to arrive VerifyValidToken(conf, am, token); am.Stop(); rm.Stop(); }
public virtual void TestClientToAMTokens() { conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); ContainerManagementProtocol containerManager = Org.Mockito.Mockito.Mock <ContainerManagementProtocol >(); StartContainersResponse mockResponse = Org.Mockito.Mockito.Mock <StartContainersResponse >(); Org.Mockito.Mockito.When(containerManager.StartContainers((StartContainersRequest )Matchers.Any())).ThenReturn(mockResponse); DrainDispatcher dispatcher = new DrainDispatcher(); MockRM rm = new _MockRMWithCustomAMLauncher_192(dispatcher, conf, containerManager ); rm.Start(); // Submit an app RMApp app = rm.SubmitApp(1024); // Set up a node. MockNM nm1 = rm.RegisterNode("localhost:1234", 3072); nm1.NodeHeartbeat(true); dispatcher.Await(); nm1.NodeHeartbeat(true); dispatcher.Await(); ApplicationAttemptId appAttempt = app.GetCurrentAppAttempt().GetAppAttemptId(); MockAM mockAM = new MockAM(rm.GetRMContext(), rm.GetApplicationMasterService(), app .GetCurrentAppAttempt().GetAppAttemptId()); UserGroupInformation appUgi = UserGroupInformation.CreateRemoteUser(appAttempt.ToString ()); RegisterApplicationMasterResponse response = appUgi.DoAs(new _PrivilegedAction_229 (mockAM)); // Get the app-report. GetApplicationReportRequest request = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <GetApplicationReportRequest>(); request.SetApplicationId(app.GetApplicationId()); GetApplicationReportResponse reportResponse = rm.GetClientRMService().GetApplicationReport (request); ApplicationReport appReport = reportResponse.GetApplicationReport(); Org.Apache.Hadoop.Yarn.Api.Records.Token originalClientToAMToken = appReport.GetClientToAMToken (); // ClientToAMToken master key should have been received on register // application master response. NUnit.Framework.Assert.IsNotNull(response.GetClientToAMTokenMasterKey()); NUnit.Framework.Assert.IsTrue(((byte[])response.GetClientToAMTokenMasterKey().Array ()).Length > 0); // Start the AM with the correct shared-secret. ApplicationAttemptId appAttemptId = app.GetAppAttempts().Keys.GetEnumerator().Next (); NUnit.Framework.Assert.IsNotNull(appAttemptId); TestClientToAMTokens.CustomAM am = new TestClientToAMTokens.CustomAM(appAttemptId , ((byte[])response.GetClientToAMTokenMasterKey().Array())); am.Init(conf); am.Start(); // Now the real test! // Set up clients to be able to pick up correct tokens. SecurityUtil.SetSecurityInfoProviders(new TestClientToAMTokens.CustomSecurityInfo ()); // Verify denial for unauthenticated user try { TestClientToAMTokens.CustomProtocol client = (TestClientToAMTokens.CustomProtocol )RPC.GetProxy <TestClientToAMTokens.CustomProtocol>(1L, am.address, conf); client.Ping(); NUnit.Framework.Assert.Fail("Access by unauthenticated user should fail!!"); } catch (Exception) { NUnit.Framework.Assert.IsFalse(am.pinged); } Org.Apache.Hadoop.Security.Token.Token <ClientToAMTokenIdentifier> token = ConverterUtils .ConvertFromYarn(originalClientToAMToken, am.address); // Verify denial for a malicious user with tampered ID VerifyTokenWithTamperedID(conf, am, token); // Verify denial for a malicious user with tampered user-name VerifyTokenWithTamperedUserName(conf, am, token); // Now for an authenticated user VerifyValidToken(conf, am, token); // Verify for a new version token VerifyNewVersionToken(conf, am, token, rm); am.Stop(); rm.Stop(); }