Example 1 with InvalidContainerException
use of org.apache.hadoop.yarn.exceptions.InvalidContainerException in project hadoop by apache.
the class ContainerManagerImpl method authorizeStartAndResourceIncreaseRequest.
/**
* @param containerTokenIdentifier
* of the container whose resource is to be started or increased
* @throws YarnException
*/
@Private
@VisibleForTesting
protected void authorizeStartAndResourceIncreaseRequest(NMTokenIdentifier nmTokenIdentifier, ContainerTokenIdentifier containerTokenIdentifier, boolean startRequest) throws YarnException {
if (nmTokenIdentifier == null) {
throw RPCUtil.getRemoteException(INVALID_NMTOKEN_MSG);
}
if (containerTokenIdentifier == null) {
throw RPCUtil.getRemoteException(INVALID_CONTAINERTOKEN_MSG);
}
/*
* Check the following:
* 1. The request comes from the same application attempt
* 2. The request possess a container token that has not expired
* 3. The request possess a container token that is granted by a known RM
*/
ContainerId containerId = containerTokenIdentifier.getContainerID();
String containerIDStr = containerId.toString();
boolean unauthorized = false;
StringBuilder messageBuilder = new StringBuilder("Unauthorized request to " + (startRequest ? "start container." : "increase container resource."));
if (!nmTokenIdentifier.getApplicationAttemptId().getApplicationId().equals(containerId.getApplicationAttemptId().getApplicationId())) {
unauthorized = true;
messageBuilder.append("\nNMToken for application attempt : ").append(nmTokenIdentifier.getApplicationAttemptId()).append(" was used for " + (startRequest ? "starting " : "increasing resource of ") + "container with container token").append(" issued for application attempt : ").append(containerId.getApplicationAttemptId());
} else if (startRequest && !this.context.getContainerTokenSecretManager().isValidStartContainerRequest(containerTokenIdentifier)) {
// Is the container being relaunched? Or RPC layer let startCall with
// tokens generated off old-secret through?
unauthorized = true;
messageBuilder.append("\n Attempt to relaunch the same ").append("container with id ").append(containerIDStr).append(".");
} else if (containerTokenIdentifier.getExpiryTimeStamp() < System.currentTimeMillis()) {
// Ensure the token is not expired.
unauthorized = true;
messageBuilder.append("\nThis token is expired. current time is ").append(System.currentTimeMillis()).append(" found ").append(containerTokenIdentifier.getExpiryTimeStamp());
messageBuilder.append("\nNote: System times on machines may be out of sync.").append(" Check system time and time zones.");
}
if (unauthorized) {
String msg = messageBuilder.toString();
LOG.error(msg);
throw RPCUtil.getRemoteException(msg);
}
if (containerTokenIdentifier.getRMIdentifier() != nodeStatusUpdater.getRMIdentifier()) {
// Is the container coming from unknown RM
StringBuilder sb = new StringBuilder("\nContainer ");
sb.append(containerTokenIdentifier.getContainerID().toString()).append(" rejected as it is allocated by a previous RM");
throw new InvalidContainerException(sb.toString());
}
}
Also used :
ContainerId(org.apache.hadoop.yarn.api.records.ContainerId)
InvalidContainerException(org.apache.hadoop.yarn.exceptions.InvalidContainerException)
ByteString(com.google.protobuf.ByteString)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Private(org.apache.hadoop.classification.InterfaceAudience.Private)
Aggregations
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
ByteString (com.google.protobuf.ByteString)1
Private (org.apache.hadoop.classification.InterfaceAudience.Private)1
ContainerId (org.apache.hadoop.yarn.api.records.ContainerId)1
InvalidContainerException (org.apache.hadoop.yarn.exceptions.InvalidContainerException)1
