Example 6 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class LeveldbRMStateStore method loadDelegationKey.
private DelegationKey loadDelegationKey(byte[] data) throws IOException {
DelegationKey key = new DelegationKey();
DataInputStream in = new DataInputStream(new ByteArrayInputStream(data));
try {
key.readFields(in);
} finally {
IOUtils.cleanup(LOG, in);
}
return key;
}
Also used :
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataInputStream(java.io.DataInputStream)
Example 7 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class HistoryServerLeveldbStateStoreService method loadTokenMasterKey.
private void loadTokenMasterKey(HistoryServerState state, byte[] data) throws IOException {
DelegationKey key = new DelegationKey();
DataInputStream in = new DataInputStream(new ByteArrayInputStream(data));
try {
key.readFields(in);
} finally {
IOUtils.cleanup(LOG, in);
}
state.tokenMasterKeyState.add(key);
}
Also used :
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataInputStream(java.io.DataInputStream)
Example 8 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class HistoryServerFileSystemStateStoreService method loadTokenMasterKey.
private void loadTokenMasterKey(HistoryServerState state, Path keyFile, long numKeyFileBytes) throws IOException {
DelegationKey key = new DelegationKey();
byte[] keyData = readFile(keyFile, numKeyFileBytes);
DataInputStream in = new DataInputStream(new ByteArrayInputStream(keyData));
try {
key.readFields(in);
} finally {
IOUtils.cleanup(LOG, in);
}
state.tokenMasterKeyState.add(key);
}
Also used :
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DataInputStream(java.io.DataInputStream)
FSDataInputStream(org.apache.hadoop.fs.FSDataInputStream)
Example 9 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestRMRestart method testRMDelegationTokenRestoredOnRMRestart.
@Test(timeout = 60000)
public void testRMDelegationTokenRestoredOnRMRestart() throws Exception {
conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032");
UserGroupInformation.setConfiguration(conf);
MemoryRMStateStore memStore = new MemoryRMStateStore();
memStore.init(conf);
RMState rmState = memStore.getState();
Map<ApplicationId, ApplicationStateData> rmAppState = rmState.getApplicationState();
Map<RMDelegationTokenIdentifier, Long> rmDTState = rmState.getRMDTSecretManagerState().getTokenState();
Set<DelegationKey> rmDTMasterKeyState = rmState.getRMDTSecretManagerState().getMasterKeyState();
MockRM rm1 = new TestSecurityMockRM(conf, memStore);
rm1.start();
// create an empty credential
Credentials ts = new Credentials();
// request a token and add into credential
GetDelegationTokenRequest request1 = GetDelegationTokenRequest.newInstance("renewer1");
UserGroupInformation.getCurrentUser().setAuthenticationMethod(AuthMethod.KERBEROS);
GetDelegationTokenResponse response1 = rm1.getClientRMService().getDelegationToken(request1);
org.apache.hadoop.yarn.api.records.Token delegationToken1 = response1.getRMDelegationToken();
Token<RMDelegationTokenIdentifier> token1 = ConverterUtils.convertFromYarn(delegationToken1, rmAddr);
RMDelegationTokenIdentifier dtId1 = token1.decodeIdentifier();
HashSet<RMDelegationTokenIdentifier> tokenIdentSet = new HashSet<RMDelegationTokenIdentifier>();
ts.addToken(token1.getService(), token1);
tokenIdentSet.add(dtId1);
// submit an app with customized credential
RMApp app = rm1.submitApp(200, "name", "user", new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts);
// assert app info is saved
ApplicationStateData appState = rmAppState.get(app.getApplicationId());
Assert.assertNotNull(appState);
// assert all master keys are saved
Set<DelegationKey> allKeysRM1 = rm1.getRMContext().getRMDelegationTokenSecretManager().getAllMasterKeys();
Assert.assertEquals(allKeysRM1, rmDTMasterKeyState);
// assert all tokens are saved
Map<RMDelegationTokenIdentifier, Long> allTokensRM1 = rm1.getRMContext().getRMDelegationTokenSecretManager().getAllTokens();
Assert.assertEquals(tokenIdentSet, allTokensRM1.keySet());
Assert.assertEquals(allTokensRM1, rmDTState);
// assert sequence number is saved
Assert.assertEquals(rm1.getRMContext().getRMDelegationTokenSecretManager().getLatestDTSequenceNumber(), rmState.getRMDTSecretManagerState().getDTSequenceNumber());
// request one more token
GetDelegationTokenRequest request2 = GetDelegationTokenRequest.newInstance("renewer2");
GetDelegationTokenResponse response2 = rm1.getClientRMService().getDelegationToken(request2);
org.apache.hadoop.yarn.api.records.Token delegationToken2 = response2.getRMDelegationToken();
Token<RMDelegationTokenIdentifier> token2 = ConverterUtils.convertFromYarn(delegationToken2, rmAddr);
RMDelegationTokenIdentifier dtId2 = token2.decodeIdentifier();
// cancel token2
try {
rm1.getRMContext().getRMDelegationTokenSecretManager().cancelToken(token2, UserGroupInformation.getCurrentUser().getUserName());
} catch (Exception e) {
Assert.fail();
}
// Assert the token which has the latest delegationTokenSequenceNumber is removed
Assert.assertEquals(rm1.getRMContext().getRMDelegationTokenSecretManager().getLatestDTSequenceNumber(), dtId2.getSequenceNumber());
Assert.assertFalse(rmDTState.containsKey(dtId2));
// start new RM
MockRM rm2 = new TestSecurityMockRM(conf, memStore);
rm2.start();
// assert master keys and tokens are populated back to DTSecretManager
Map<RMDelegationTokenIdentifier, Long> allTokensRM2 = rm2.getRMContext().getRMDelegationTokenSecretManager().getAllTokens();
Assert.assertEquals(allTokensRM2.keySet(), allTokensRM1.keySet());
// rm2 has its own master keys when it starts, we use containsAll here
Assert.assertTrue(rm2.getRMContext().getRMDelegationTokenSecretManager().getAllMasterKeys().containsAll(allKeysRM1));
// assert sequenceNumber is properly recovered,
// even though the token which has max sequenceNumber is not stored
Assert.assertEquals(rm1.getRMContext().getRMDelegationTokenSecretManager().getLatestDTSequenceNumber(), rm2.getRMContext().getRMDelegationTokenSecretManager().getLatestDTSequenceNumber());
// renewDate before renewing
Long renewDateBeforeRenew = allTokensRM2.get(dtId1);
try {
// Sleep for one millisecond to make sure renewDataAfterRenew is greater
Thread.sleep(1);
// renew recovered token
rm2.getRMContext().getRMDelegationTokenSecretManager().renewToken(token1, "renewer1");
} catch (Exception e) {
Assert.fail();
}
allTokensRM2 = rm2.getRMContext().getRMDelegationTokenSecretManager().getAllTokens();
Long renewDateAfterRenew = allTokensRM2.get(dtId1);
// assert token is renewed
Assert.assertTrue(renewDateAfterRenew > renewDateBeforeRenew);
// assert new token is added into state store
Assert.assertTrue(rmDTState.containsValue(renewDateAfterRenew));
// assert old token is removed from state store
Assert.assertFalse(rmDTState.containsValue(renewDateBeforeRenew));
try {
rm2.getRMContext().getRMDelegationTokenSecretManager().cancelToken(token1, UserGroupInformation.getCurrentUser().getUserName());
} catch (Exception e) {
Assert.fail();
}
// assert token is removed from state after its cancelled
allTokensRM2 = rm2.getRMContext().getRMDelegationTokenSecretManager().getAllTokens();
Assert.assertFalse(allTokensRM2.containsKey(dtId1));
Assert.assertFalse(rmDTState.containsKey(dtId1));
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
GetDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)
GetDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)
MemoryRMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.MemoryRMStateStore)
HashSet(java.util.HashSet)
ApplicationStateData(org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
IOException(java.io.IOException)
ApplicationAttemptNotFoundException(org.apache.hadoop.yarn.exceptions.ApplicationAttemptNotFoundException)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType)
Matchers.anyLong(org.mockito.Matchers.anyLong)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
RMState(org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState)
Credentials(org.apache.hadoop.security.Credentials)
Test(org.junit.Test)
Example 10 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestZKRMStateStore method testFencedState.
@Test
public void testFencedState() throws Exception {
TestZKRMStateStoreTester zkTester = new TestZKRMStateStoreTester();
RMStateStore store = zkTester.getRMStateStore();
// Move state to FENCED from ACTIVE
store.updateFencedState();
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
long submitTime = System.currentTimeMillis();
long startTime = submitTime + 1000;
// Add a new app
RMApp mockApp = mock(RMApp.class);
ApplicationSubmissionContext context = new ApplicationSubmissionContextPBImpl();
when(mockApp.getSubmitTime()).thenReturn(submitTime);
when(mockApp.getStartTime()).thenReturn(startTime);
when(mockApp.getApplicationSubmissionContext()).thenReturn(context);
when(mockApp.getUser()).thenReturn("test");
store.storeNewApplication(mockApp);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// Add a new attempt
ClientToAMTokenSecretManagerInRM clientToAMTokenMgr = new ClientToAMTokenSecretManagerInRM();
ApplicationAttemptId attemptId = ApplicationAttemptId.fromString("appattempt_1234567894321_0001_000001");
SecretKey clientTokenMasterKey = clientToAMTokenMgr.createMasterKey(attemptId);
RMAppAttemptMetrics mockRmAppAttemptMetrics = mock(RMAppAttemptMetrics.class);
Container container = new ContainerPBImpl();
container.setId(ContainerId.fromString("container_1234567891234_0001_01_000001"));
RMAppAttempt mockAttempt = mock(RMAppAttempt.class);
when(mockAttempt.getAppAttemptId()).thenReturn(attemptId);
when(mockAttempt.getMasterContainer()).thenReturn(container);
when(mockAttempt.getClientTokenMasterKey()).thenReturn(clientTokenMasterKey);
when(mockAttempt.getRMAppAttemptMetrics()).thenReturn(mockRmAppAttemptMetrics);
when(mockRmAppAttemptMetrics.getAggregateAppResourceUsage()).thenReturn(new AggregateAppResourceUsage(0, 0));
store.storeNewApplicationAttempt(mockAttempt);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
long finishTime = submitTime + 1000;
// Update attempt
ApplicationAttemptStateData newAttemptState = ApplicationAttemptStateData.newInstance(attemptId, container, store.getCredentialsFromAppAttempt(mockAttempt), startTime, RMAppAttemptState.FINISHED, "testUrl", "test", FinalApplicationStatus.SUCCEEDED, 100, finishTime, 0, 0, 0, 0);
store.updateApplicationAttemptState(newAttemptState);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// Update app
ApplicationStateData appState = ApplicationStateData.newInstance(submitTime, startTime, context, "test");
store.updateApplicationState(appState);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// Remove app
store.removeApplication(mockApp);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// store RM delegation token;
RMDelegationTokenIdentifier dtId1 = new RMDelegationTokenIdentifier(new Text("owner1"), new Text("renewer1"), new Text("realuser1"));
Long renewDate1 = new Long(System.currentTimeMillis());
dtId1.setSequenceNumber(1111);
store.storeRMDelegationToken(dtId1, renewDate1);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
store.updateRMDelegationToken(dtId1, renewDate1);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// remove delegation key;
store.removeRMDelegationToken(dtId1);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// store delegation master key;
DelegationKey key = new DelegationKey(1234, 4321, "keyBytes".getBytes());
store.storeRMDTMasterKey(key);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// remove delegation master key;
store.removeRMDTMasterKey(key);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
// store or update AMRMToken;
store.storeOrUpdateAMRMTokenSecretManager(null, false);
assertEquals("RMStateStore should have been in fenced state", true, store.isFencedState());
store.close();
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
RMAppAttemptMetrics(org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptMetrics)
ClientToAMTokenSecretManagerInRM(org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM)
RMAppAttempt(org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt)
ContainerPBImpl(org.apache.hadoop.yarn.api.records.impl.pb.ContainerPBImpl)
Text(org.apache.hadoop.io.Text)
ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId)
ApplicationStateData(org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
SecretKey(javax.crypto.SecretKey)
Container(org.apache.hadoop.yarn.api.records.Container)
ApplicationSubmissionContextPBImpl(org.apache.hadoop.yarn.api.records.impl.pb.ApplicationSubmissionContextPBImpl)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
ApplicationSubmissionContext(org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext)
ApplicationAttemptStateData(org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationAttemptStateData)
AggregateAppResourceUsage(org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.AggregateAppResourceUsage)
Test(org.junit.Test)
Aggregations
DelegationKey (org.apache.hadoop.security.token.delegation.DelegationKey)30
IOException (java.io.IOException)8
Test (org.junit.Test)8
ByteArrayInputStream (java.io.ByteArrayInputStream)7
DataInputStream (java.io.DataInputStream)7
Text (org.apache.hadoop.io.Text)7
RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)6
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
MRDelegationTokenIdentifier (org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)3
MemoryRMStateStore (org.apache.hadoop.yarn.server.resourcemanager.recovery.MemoryRMStateStore)3
RMState (org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState)3
Configuration (org.apache.hadoop.conf.Configuration)2
FSDataInputStream (org.apache.hadoop.fs.FSDataInputStream)2
SecretManagerSection (org.apache.hadoop.hdfs.server.namenode.FsImageProto.SecretManagerSection)2
HistoryServerState (org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState)2
Token (org.apache.hadoop.security.token.Token)2
GetDelegationTokenRequest (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)2
GetDelegationTokenResponse (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)2
MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)2
