Examples with InvalidToken org.apache.hadoop.security.token.SecretManager.InvalidToken used on opensource projects

Example 16 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class TestDelegationTokenRenewer method testDTKeepAlive1.

/**
   * Basic idea of the test:
   * 0. Setup token KEEP_ALIVE
   * 1. create tokens.
   * 2. register them for renewal - to be cancelled on app complete
   * 3. Complete app.
   * 4. Verify token is alive within the KEEP_ALIVE time
   * 5. Verify token has been cancelled after the KEEP_ALIVE_TIME
   * @throws IOException
   * @throws URISyntaxException
   */
@Test(timeout = 60000)
public void testDTKeepAlive1() throws Exception {
    Configuration lconf = new Configuration(conf);
    lconf.setBoolean(YarnConfiguration.LOG_AGGREGATION_ENABLED, true);
    //Keep tokens alive for 6 seconds.
    lconf.setLong(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS, 6000l);
    //Try removing tokens every second.
    lconf.setLong(YarnConfiguration.RM_DELAYED_DELEGATION_TOKEN_REMOVAL_INTERVAL_MS, 1000l);
    DelegationTokenRenewer localDtr = createNewDelegationTokenRenewer(lconf, counter);
    RMContext mockContext = mock(RMContext.class);
    when(mockContext.getSystemCredentialsForApps()).thenReturn(new ConcurrentHashMap<ApplicationId, ByteBuffer>());
    ClientRMService mockClientRMService = mock(ClientRMService.class);
    when(mockContext.getClientRMService()).thenReturn(mockClientRMService);
    when(mockContext.getDelegationTokenRenewer()).thenReturn(localDtr);
    when(mockContext.getDispatcher()).thenReturn(dispatcher);
    InetSocketAddress sockAddr = InetSocketAddress.createUnresolved("localhost", 1234);
    when(mockClientRMService.getBindAddress()).thenReturn(sockAddr);
    localDtr.setRMContext(mockContext);
    localDtr.init(lconf);
    localDtr.start();
    MyFS dfs = (MyFS) FileSystem.get(lconf);
    LOG.info("dfs=" + (Object) dfs.hashCode() + ";conf=" + lconf.hashCode());
    Credentials ts = new Credentials();
    // get the delegation tokens
    MyToken token1 = dfs.getDelegationToken("user1");
    String nn1 = DelegationTokenRenewer.SCHEME + "://host1:0";
    ts.addToken(new Text(nn1), token1);
    // register the tokens for renewal
    ApplicationId applicationId_0 = BuilderUtils.newApplicationId(0, 0);
    localDtr.addApplicationAsync(applicationId_0, ts, true, "user", new Configuration());
    waitForEventsToGetProcessed(localDtr);
    if (!eventQueue.isEmpty()) {
        Event evt = eventQueue.take();
        if (evt instanceof RMAppEvent) {
            Assert.assertEquals(((RMAppEvent) evt).getType(), RMAppEventType.START);
        } else {
            fail("RMAppEvent.START was expected!!");
        }
    }
    localDtr.applicationFinished(applicationId_0);
    waitForEventsToGetProcessed(localDtr);
    //Token should still be around. Renewal should not fail.
    token1.renew(lconf);
    //Allow the keepalive time to run out
    Thread.sleep(10000l);
    //The token should have been cancelled at this point. Renewal will fail.
    try {
        token1.renew(lconf);
        fail("Renewal of cancelled token should have failed");
    } catch (InvalidToken ite) {
    }
}

Example 17 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hbase by apache.

the class HBaseSaslRpcServer method getIdentifier.

public static <T extends TokenIdentifier> T getIdentifier(String id, SecretManager<T> secretManager) throws InvalidToken {
    byte[] tokenId = SaslUtil.decodeIdentifier(id);
    T tokenIdentifier = secretManager.createIdentifier();
    try {
        tokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(tokenId)));
    } catch (IOException e) {
        throw (InvalidToken) new InvalidToken("Can't de-serialize tokenIdentifier").initCause(e);
    }
    return tokenIdentifier;
}

Example 18 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class ContainerManagerImpl method startContainers.

/**
   * Start a list of containers on this NodeManager.
   */
@Override
public StartContainersResponse startContainers(StartContainersRequest requests) throws YarnException, IOException {
    if (blockNewContainerRequests.get()) {
        throw new NMNotYetReadyException("Rejecting new containers as NodeManager has not" + " yet connected with ResourceManager");
    }
    UserGroupInformation remoteUgi = getRemoteUgi();
    NMTokenIdentifier nmTokenIdentifier = selectNMTokenIdentifier(remoteUgi);
    authorizeUser(remoteUgi, nmTokenIdentifier);
    List<ContainerId> succeededContainers = new ArrayList<ContainerId>();
    Map<ContainerId, SerializedException> failedContainers = new HashMap<ContainerId, SerializedException>();
    // been added to the containers map in NMContext.
    synchronized (this.context) {
        for (StartContainerRequest request : requests.getStartContainerRequests()) {
            ContainerId containerId = null;
            try {
                if (request.getContainerToken() == null || request.getContainerToken().getIdentifier() == null) {
                    throw new IOException(INVALID_CONTAINERTOKEN_MSG);
                }
                ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(request.getContainerToken());
                verifyAndGetContainerTokenIdentifier(request.getContainerToken(), containerTokenIdentifier);
                containerId = containerTokenIdentifier.getContainerID();
                // type AM and if the AMRMProxy service is enabled
                if (amrmProxyEnabled && containerTokenIdentifier.getContainerType().equals(ContainerType.APPLICATION_MASTER)) {
                    this.getAMRMProxyService().processApplicationStartRequest(request);
                }
                performContainerPreStartChecks(nmTokenIdentifier, request, containerTokenIdentifier);
                startContainerInternal(containerTokenIdentifier, request);
                succeededContainers.add(containerId);
            } catch (YarnException e) {
                failedContainers.put(containerId, SerializedException.newInstance(e));
            } catch (InvalidToken ie) {
                failedContainers.put(containerId, SerializedException.newInstance(ie));
                throw ie;
            } catch (IOException e) {
                throw RPCUtil.getRemoteException(e);
            }
        }
        return StartContainersResponse.newInstance(getAuxServiceMetaData(), succeededContainers, failedContainers);
    }
}

Example 19 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class ContainerManagerImpl method increaseContainersResource.

/**
   * Increase resource of a list of containers on this NodeManager.
   */
@Override
public IncreaseContainersResourceResponse increaseContainersResource(IncreaseContainersResourceRequest requests) throws YarnException, IOException {
    if (blockNewContainerRequests.get()) {
        throw new NMNotYetReadyException("Rejecting container resource increase as NodeManager has not" + " yet connected with ResourceManager");
    }
    UserGroupInformation remoteUgi = getRemoteUgi();
    NMTokenIdentifier nmTokenIdentifier = selectNMTokenIdentifier(remoteUgi);
    authorizeUser(remoteUgi, nmTokenIdentifier);
    List<ContainerId> successfullyIncreasedContainers = new ArrayList<ContainerId>();
    Map<ContainerId, SerializedException> failedContainers = new HashMap<ContainerId, SerializedException>();
    // map in NMContext.
    synchronized (this.context) {
        // Process container resource increase requests
        for (org.apache.hadoop.yarn.api.records.Token token : requests.getContainersToIncrease()) {
            ContainerId containerId = null;
            try {
                if (token.getIdentifier() == null) {
                    throw new IOException(INVALID_CONTAINERTOKEN_MSG);
                }
                ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(token);
                verifyAndGetContainerTokenIdentifier(token, containerTokenIdentifier);
                authorizeStartAndResourceIncreaseRequest(nmTokenIdentifier, containerTokenIdentifier, false);
                containerId = containerTokenIdentifier.getContainerID();
                // Reuse the startContainer logic to update NMToken,
                // as container resource increase request will have come with
                // an updated NMToken.
                updateNMTokenIdentifier(nmTokenIdentifier);
                Resource resource = containerTokenIdentifier.getResource();
                changeContainerResourceInternal(containerId, containerTokenIdentifier.getVersion(), resource, true);
                successfullyIncreasedContainers.add(containerId);
            } catch (YarnException | InvalidToken e) {
                failedContainers.put(containerId, SerializedException.newInstance(e));
            } catch (IOException e) {
                throw RPCUtil.getRemoteException(e);
            }
        }
    }
    return IncreaseContainersResourceResponse.newInstance(successfullyIncreasedContainers, failedContainers);
}

Example 20 with InvalidToken

use of org.apache.hadoop.security.token.SecretManager.InvalidToken in project hadoop by apache.

the class TestContainerLaunch method createContainerToken.

protected Token createContainerToken(ContainerId cId, Priority priority, long createTime) throws InvalidToken {
    Resource r = BuilderUtils.newResource(1024, 1);
    ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(cId, context.getNodeId().toString(), user, r, System.currentTimeMillis() + 10000L, 123, DUMMY_RM_IDENTIFIER, priority, createTime);
    Token containerToken = BuilderUtils.newContainerToken(context.getNodeId(), context.getContainerTokenSecretManager().retrievePassword(containerTokenIdentifier), containerTokenIdentifier);
    return containerToken;
}