Example 26 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestJHSDelegationTokenSecretManager method testRecovery.
@Test
public void testRecovery() throws IOException {
Configuration conf = new Configuration();
HistoryServerStateStoreService store = new HistoryServerMemStateStoreService();
store.init(conf);
store.start();
JHSDelegationTokenSecretManagerForTest mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.startThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner"), new Text("tokenRenewer"), new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token1 = new Token<MRDelegationTokenIdentifier>(tokenId1, mgr);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner"), new Text("tokenRenewer"), new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token2 = new Token<MRDelegationTokenIdentifier>(tokenId2, mgr);
DelegationKey[] keys = mgr.getAllKeys();
long tokenRenewDate1 = mgr.getAllTokens().get(tokenId1).getRenewDate();
long tokenRenewDate2 = mgr.getAllTokens().get(tokenId2).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
List<DelegationKey> recoveredKeys = Arrays.asList(mgr.getAllKeys());
for (DelegationKey key : keys) {
assertTrue("key missing after recovery", recoveredKeys.contains(key));
}
assertTrue("token1 missing", mgr.getAllTokens().containsKey(tokenId1));
assertEquals("token1 renew date", tokenRenewDate1, mgr.getAllTokens().get(tokenId1).getRenewDate());
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2, mgr.getAllTokens().get(tokenId2).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId1, token1.getPassword());
mgr.verifyToken(tokenId2, token2.getPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner"), new Text("tokenRenewer"), new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token3 = new Token<MRDelegationTokenIdentifier>(tokenId3, mgr);
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1, tokenId3.getSequenceNumber());
mgr.cancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser"));
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
Token<MRDelegationTokenIdentifier> tokenFull = new Token<MRDelegationTokenIdentifier>(tokenIdFull, mgr);
// Negative test
try {
mgr.cancelToken(tokenFull, "tokenOwner");
} catch (AccessControlException ace) {
assertTrue(ace.getMessage().contains("is not authorized to cancel the token"));
}
// Succeed to cancel with full principal
mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString());
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
assertFalse("token1 should be missing", mgr.getAllTokens().containsKey(tokenId1));
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2, mgr.getAllTokens().get(tokenId2).getRenewDate());
assertTrue("token3 missing", mgr.getAllTokens().containsKey(tokenId3));
assertEquals("token3 renew date", tokenRenewDate3, mgr.getAllTokens().get(tokenId3).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId2, token2.getPassword());
mgr.verifyToken(tokenId3, token3.getPassword());
mgr.stopThreads();
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
MRDelegationTokenIdentifier(org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)
AccessControlException(org.apache.hadoop.security.AccessControlException)
Text(org.apache.hadoop.io.Text)
Token(org.apache.hadoop.security.token.Token)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
Test(org.junit.Test)
Example 27 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class TestLeveldbTimelineStateStore method testTokenStore.
@Test
public void testTokenStore() throws Exception {
initAndStartTimelineServiceStateStoreService();
TimelineServiceState state = store.loadState();
assertTrue("token state not empty", state.tokenState.isEmpty());
assertTrue("key state not empty", state.tokenMasterKeyState.isEmpty());
final DelegationKey key1 = new DelegationKey(1, 2, "keyData1".getBytes());
final TimelineDelegationTokenIdentifier token1 = new TimelineDelegationTokenIdentifier(new Text("tokenOwner1"), new Text("tokenRenewer1"), new Text("tokenUser1"));
token1.setSequenceNumber(1);
token1.getBytes();
final Long tokenDate1 = 1L;
final TimelineDelegationTokenIdentifier token2 = new TimelineDelegationTokenIdentifier(new Text("tokenOwner2"), new Text("tokenRenewer2"), new Text("tokenUser2"));
token2.setSequenceNumber(12345678);
token2.getBytes();
final Long tokenDate2 = 87654321L;
store.storeTokenMasterKey(key1);
try {
store.storeTokenMasterKey(key1);
fail("redundant store of key undetected");
} catch (IOException e) {
// expected
}
store.storeToken(token1, tokenDate1);
store.storeToken(token2, tokenDate2);
try {
store.storeToken(token1, tokenDate1);
fail("redundant store of token undetected");
} catch (IOException e) {
// expected
}
store.close();
initAndStartTimelineServiceStateStoreService();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertTrue("missing token 1", state.tokenState.containsKey(token1));
assertEquals("incorrect token 1 date", tokenDate1, state.tokenState.get(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", tokenDate2, state.tokenState.get(token2));
assertEquals("incorrect master key count", 1, state.tokenMasterKeyState.size());
assertTrue("missing master key 1", state.tokenMasterKeyState.contains(key1));
assertEquals("incorrect latest sequence number", 12345678, state.getLatestSequenceNumber());
final DelegationKey key2 = new DelegationKey(3, 4, "keyData2".getBytes());
final DelegationKey key3 = new DelegationKey(5, 6, "keyData3".getBytes());
final TimelineDelegationTokenIdentifier token3 = new TimelineDelegationTokenIdentifier(new Text("tokenOwner3"), new Text("tokenRenewer3"), new Text("tokenUser3"));
token3.setSequenceNumber(12345679);
token3.getBytes();
final Long tokenDate3 = 87654321L;
store.removeToken(token1);
store.storeTokenMasterKey(key2);
final Long newTokenDate2 = 975318642L;
store.updateToken(token2, newTokenDate2);
store.removeTokenMasterKey(key1);
store.storeTokenMasterKey(key3);
store.storeToken(token3, tokenDate3);
store.close();
initAndStartTimelineServiceStateStoreService();
state = store.loadState();
assertEquals("incorrect loaded token count", 2, state.tokenState.size());
assertFalse("token 1 not removed", state.tokenState.containsKey(token1));
assertTrue("missing token 2", state.tokenState.containsKey(token2));
assertEquals("incorrect token 2 date", newTokenDate2, state.tokenState.get(token2));
assertTrue("missing token 3", state.tokenState.containsKey(token3));
assertEquals("incorrect token 3 date", tokenDate3, state.tokenState.get(token3));
assertEquals("incorrect master key count", 2, state.tokenMasterKeyState.size());
assertFalse("master key 1 not removed", state.tokenMasterKeyState.contains(key1));
assertTrue("missing master key 2", state.tokenMasterKeyState.contains(key2));
assertTrue("missing master key 3", state.tokenMasterKeyState.contains(key3));
assertEquals("incorrect latest sequence number", 12345679, state.getLatestSequenceNumber());
store.close();
}
Also used :
TimelineServiceState(org.apache.hadoop.yarn.server.timeline.recovery.TimelineStateStore.TimelineServiceState)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
TimelineDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier)
Text(org.apache.hadoop.io.Text)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 28 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class MemoryRMStateStore method storeRMDTMasterKeyState.
@Override
public synchronized void storeRMDTMasterKeyState(DelegationKey delegationKey) throws Exception {
Set<DelegationKey> rmDTMasterKeyState = state.rmSecretManagerState.getMasterKeyState();
if (rmDTMasterKeyState.contains(delegationKey)) {
IOException e = new IOException("RMDTMasterKey with keyID: " + delegationKey.getKeyId() + " is already stored");
LOG.info("Error storing info for RMDTMasterKey with keyID: " + delegationKey.getKeyId(), e);
throw e;
}
state.getRMDTSecretManagerState().getMasterKeyState().add(delegationKey);
LOG.info("Store RMDT master key with key id: " + delegationKey.getKeyId() + ". Currently rmDTMasterKeyState size: " + rmDTMasterKeyState.size());
}
Also used :
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
IOException(java.io.IOException)
Example 29 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class FileSystemRMStateStore method loadRMDTSecretManagerState.
private void loadRMDTSecretManagerState(RMState rmState) throws Exception {
checkAndResumeUpdateOperation(rmDTSecretManagerRoot);
FileStatus[] childNodes = listStatusWithRetries(rmDTSecretManagerRoot);
for (FileStatus childNodeStatus : childNodes) {
assert childNodeStatus.isFile();
String childNodeName = childNodeStatus.getPath().getName();
if (checkAndRemovePartialRecordWithRetries(childNodeStatus.getPath())) {
continue;
}
if (childNodeName.startsWith(DELEGATION_TOKEN_SEQUENCE_NUMBER_PREFIX)) {
rmState.rmSecretManagerState.dtSequenceNumber = Integer.parseInt(childNodeName.split("_")[1]);
continue;
}
Path childNodePath = getNodePath(rmDTSecretManagerRoot, childNodeName);
byte[] childData = readFileWithRetries(childNodePath, childNodeStatus.getLen());
ByteArrayInputStream is = new ByteArrayInputStream(childData);
try (DataInputStream fsIn = new DataInputStream(is)) {
if (childNodeName.startsWith(DELEGATION_KEY_PREFIX)) {
DelegationKey key = new DelegationKey();
key.readFields(fsIn);
rmState.rmSecretManagerState.masterKeyState.add(key);
if (LOG.isDebugEnabled()) {
LOG.debug("Loaded delegation key: keyId=" + key.getKeyId() + ", expirationDate=" + key.getExpiryDate());
}
} else if (childNodeName.startsWith(DELEGATION_TOKEN_PREFIX)) {
RMDelegationTokenIdentifierData identifierData = new RMDelegationTokenIdentifierData();
identifierData.readFields(fsIn);
RMDelegationTokenIdentifier identifier = identifierData.getTokenIdentifier();
long renewDate = identifierData.getRenewDate();
rmState.rmSecretManagerState.delegationTokenState.put(identifier, renewDate);
if (LOG.isDebugEnabled()) {
LOG.debug("Loaded RMDelegationTokenIdentifier: " + identifier + " renewDate=" + renewDate);
}
} else {
LOG.warn("Unknown file for recovering RMDelegationTokenSecretManager");
}
}
}
}
Also used :
Path(org.apache.hadoop.fs.Path)
RMDelegationTokenIdentifierData(org.apache.hadoop.yarn.server.resourcemanager.recovery.records.RMDelegationTokenIdentifierData)
FileStatus(org.apache.hadoop.fs.FileStatus)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)
DataInputStream(java.io.DataInputStream)
FSDataInputStream(org.apache.hadoop.fs.FSDataInputStream)
Example 30 with DelegationKey
use of org.apache.hadoop.security.token.delegation.DelegationKey in project hadoop by apache.
the class ZKRMStateStore method loadRMDelegationKeyState.
private void loadRMDelegationKeyState(RMState rmState) throws Exception {
List<String> childNodes = getChildren(dtMasterKeysRootPath);
for (String childNodeName : childNodes) {
String childNodePath = getNodePath(dtMasterKeysRootPath, childNodeName);
byte[] childData = getData(childNodePath);
if (childData == null) {
LOG.warn("Content of " + childNodePath + " is broken.");
continue;
}
ByteArrayInputStream is = new ByteArrayInputStream(childData);
try (DataInputStream fsIn = new DataInputStream(is)) {
if (childNodeName.startsWith(DELEGATION_KEY_PREFIX)) {
DelegationKey key = new DelegationKey();
key.readFields(fsIn);
rmState.rmSecretManagerState.masterKeyState.add(key);
if (LOG.isDebugEnabled()) {
LOG.debug("Loaded delegation key: keyId=" + key.getKeyId() + ", expirationDate=" + key.getExpiryDate());
}
}
}
}
}
Also used :
ByteArrayInputStream(java.io.ByteArrayInputStream)
DelegationKey(org.apache.hadoop.security.token.delegation.DelegationKey)
DataInputStream(java.io.DataInputStream)
Aggregations
DelegationKey (org.apache.hadoop.security.token.delegation.DelegationKey)30
IOException (java.io.IOException)8
Test (org.junit.Test)8
ByteArrayInputStream (java.io.ByteArrayInputStream)7
DataInputStream (java.io.DataInputStream)7
Text (org.apache.hadoop.io.Text)7
RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)6
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
MRDelegationTokenIdentifier (org.apache.hadoop.mapreduce.v2.api.MRDelegationTokenIdentifier)3
MemoryRMStateStore (org.apache.hadoop.yarn.server.resourcemanager.recovery.MemoryRMStateStore)3
RMState (org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.RMState)3
Configuration (org.apache.hadoop.conf.Configuration)2
FSDataInputStream (org.apache.hadoop.fs.FSDataInputStream)2
SecretManagerSection (org.apache.hadoop.hdfs.server.namenode.FsImageProto.SecretManagerSection)2
HistoryServerState (org.apache.hadoop.mapreduce.v2.hs.HistoryServerStateStoreService.HistoryServerState)2
Token (org.apache.hadoop.security.token.Token)2
GetDelegationTokenRequest (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)2
GetDelegationTokenResponse (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)2
MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)2
