Search in sources :

Example 1 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class LocalContainerAllocator method updateAMRMToken.

private void updateAMRMToken(Token token) throws IOException {
    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken = new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
    UserGroupInformation currentUGI = UserGroupInformation.getCurrentUser();
    currentUGI.addToken(amrmToken);
    amrmToken.setService(ClientRMProxy.getAMRMTokenService(getConfig()));
}
Also used : AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) Token(org.apache.hadoop.yarn.api.records.Token) Text(org.apache.hadoop.io.Text) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 2 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class RMContainerAllocator method updateAMRMToken.

private void updateAMRMToken(Token token) throws IOException {
    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken = new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
    UserGroupInformation currentUGI = UserGroupInformation.getCurrentUser();
    currentUGI.addToken(amrmToken);
    amrmToken.setService(ClientRMProxy.getAMRMTokenService(getConfig()));
}
Also used : AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) NMToken(org.apache.hadoop.yarn.api.records.NMToken) Token(org.apache.hadoop.yarn.api.records.Token) Text(org.apache.hadoop.io.Text) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 3 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class TestLocalContainerAllocator method testAMRMTokenUpdate.

@Test
public void testAMRMTokenUpdate() throws Exception {
    Configuration conf = new Configuration();
    ApplicationAttemptId attemptId = ApplicationAttemptId.newInstance(ApplicationId.newInstance(1, 1), 1);
    AMRMTokenIdentifier oldTokenId = new AMRMTokenIdentifier(attemptId, 1);
    AMRMTokenIdentifier newTokenId = new AMRMTokenIdentifier(attemptId, 2);
    Token<AMRMTokenIdentifier> oldToken = new Token<AMRMTokenIdentifier>(oldTokenId.getBytes(), "oldpassword".getBytes(), oldTokenId.getKind(), new Text());
    Token<AMRMTokenIdentifier> newToken = new Token<AMRMTokenIdentifier>(newTokenId.getBytes(), "newpassword".getBytes(), newTokenId.getKind(), new Text());
    MockScheduler scheduler = new MockScheduler();
    scheduler.amToken = newToken;
    final LocalContainerAllocator lca = new StubbedLocalContainerAllocator(scheduler);
    lca.init(conf);
    lca.start();
    UserGroupInformation testUgi = UserGroupInformation.createUserForTesting("someuser", new String[0]);
    testUgi.addToken(oldToken);
    testUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            lca.heartbeat();
            return null;
        }
    });
    lca.close();
    // verify there is only one AMRM token in the UGI and it matches the
    // updated token from the RM
    int tokenCount = 0;
    Token<? extends TokenIdentifier> ugiToken = null;
    for (Token<? extends TokenIdentifier> token : testUgi.getTokens()) {
        if (AMRMTokenIdentifier.KIND_NAME.equals(token.getKind())) {
            ugiToken = token;
            ++tokenCount;
        }
    }
    Assert.assertEquals("too many AMRM tokens", 1, tokenCount);
    Assert.assertArrayEquals("token identifier not updated", newToken.getIdentifier(), ugiToken.getIdentifier());
    Assert.assertArrayEquals("token password not updated", newToken.getPassword(), ugiToken.getPassword());
    Assert.assertEquals("AMRM token service not updated", new Text(ClientRMProxy.getAMRMTokenService(conf)), ugiToken.getService());
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) NMToken(org.apache.hadoop.yarn.api.records.NMToken) Token(org.apache.hadoop.security.token.Token) Text(org.apache.hadoop.io.Text) ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) IOException(java.io.IOException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 4 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class MRAppMasterTestLaunchTime method testMRAppMasterCredentials.

@Test
public void testMRAppMasterCredentials() throws Exception {
    Logger rootLogger = LogManager.getRootLogger();
    rootLogger.setLevel(Level.DEBUG);
    // Simulate credentials passed to AM via client->RM->NM
    Credentials credentials = new Credentials();
    byte[] identifier = "MyIdentifier".getBytes();
    byte[] password = "MyPassword".getBytes();
    Text kind = new Text("MyTokenKind");
    Text service = new Text("host:port");
    Token<? extends TokenIdentifier> myToken = new Token<TokenIdentifier>(identifier, password, kind, service);
    Text tokenAlias = new Text("myToken");
    credentials.addToken(tokenAlias, myToken);
    Text appTokenService = new Text("localhost:0");
    Token<AMRMTokenIdentifier> appToken = new Token<AMRMTokenIdentifier>(identifier, password, AMRMTokenIdentifier.KIND_NAME, appTokenService);
    credentials.addToken(appTokenService, appToken);
    Text keyAlias = new Text("mySecretKeyAlias");
    credentials.addSecretKey(keyAlias, "mySecretKey".getBytes());
    Token<? extends TokenIdentifier> storedToken = credentials.getToken(tokenAlias);
    JobConf conf = new JobConf();
    Path tokenFilePath = new Path(testDir, "tokens-file");
    Map<String, String> newEnv = new HashMap<String, String>();
    newEnv.put(UserGroupInformation.HADOOP_TOKEN_FILE_LOCATION, tokenFilePath.toUri().getPath());
    setNewEnvironmentHack(newEnv);
    credentials.writeTokenStorageFile(tokenFilePath, conf);
    ApplicationId appId = ApplicationId.newInstance(12345, 56);
    ApplicationAttemptId applicationAttemptId = ApplicationAttemptId.newInstance(appId, 1);
    ContainerId containerId = ContainerId.newContainerId(applicationAttemptId, 546);
    String userName = UserGroupInformation.getCurrentUser().getShortUserName();
    // Create staging dir, so MRAppMaster doesn't barf.
    File stagingDir = new File(MRApps.getStagingAreaDir(conf, userName).toString());
    stagingDir.mkdirs();
    // Set login-user to null as that is how real world MRApp starts with.
    // This is null is the reason why token-file is read by UGI.
    UserGroupInformation.setLoginUser(null);
    MRAppMasterTest appMaster = new MRAppMasterTest(applicationAttemptId, containerId, "host", -1, -1, System.currentTimeMillis(), false, true);
    MRAppMaster.initAndStartAppMaster(appMaster, conf, userName);
    // Now validate the task credentials
    Credentials appMasterCreds = appMaster.getCredentials();
    Assert.assertNotNull(appMasterCreds);
    Assert.assertEquals(1, appMasterCreds.numberOfSecretKeys());
    Assert.assertEquals(1, appMasterCreds.numberOfTokens());
    // Validate the tokens - app token should not be present
    Token<? extends TokenIdentifier> usedToken = appMasterCreds.getToken(tokenAlias);
    Assert.assertNotNull(usedToken);
    Assert.assertEquals(storedToken, usedToken);
    // Validate the keys
    byte[] usedKey = appMasterCreds.getSecretKey(keyAlias);
    Assert.assertNotNull(usedKey);
    Assert.assertEquals("mySecretKey", new String(usedKey));
    // The credentials should also be added to conf so that OuputCommitter can
    // access it - app token should not be present
    Credentials confCredentials = conf.getCredentials();
    Assert.assertEquals(1, confCredentials.numberOfSecretKeys());
    Assert.assertEquals(1, confCredentials.numberOfTokens());
    Assert.assertEquals(storedToken, confCredentials.getToken(tokenAlias));
    Assert.assertEquals("mySecretKey", new String(confCredentials.getSecretKey(keyAlias)));
    // Verify the AM's ugi - app token should be present
    Credentials ugiCredentials = appMaster.getUgi().getCredentials();
    Assert.assertEquals(1, ugiCredentials.numberOfSecretKeys());
    Assert.assertEquals(2, ugiCredentials.numberOfTokens());
    Assert.assertEquals(storedToken, ugiCredentials.getToken(tokenAlias));
    Assert.assertEquals(appToken, ugiCredentials.getToken(appTokenService));
    Assert.assertEquals("mySecretKey", new String(ugiCredentials.getSecretKey(keyAlias)));
}
Also used : Path(org.apache.hadoop.fs.Path) HashMap(java.util.HashMap) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId) Logger(org.apache.log4j.Logger) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) ContainerId(org.apache.hadoop.yarn.api.records.ContainerId) ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId) JobConf(org.apache.hadoop.mapred.JobConf) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) Test(org.junit.Test)

Example 5 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class BaseAMRMProxyE2ETest method createAMRMProtocol.

protected ApplicationMasterProtocol createAMRMProtocol(YarnClient rmClient, ApplicationId appId, MiniYARNCluster cluster, final Configuration yarnConf) throws IOException, InterruptedException, YarnException {
    UserGroupInformation user = null;
    // Get the AMRMToken from AMRMProxy
    ApplicationReport report = rmClient.getApplicationReport(appId);
    user = UserGroupInformation.createProxyUser(report.getCurrentApplicationAttemptId().toString(), UserGroupInformation.getCurrentUser());
    ContainerManagerImpl containerManager = (ContainerManagerImpl) cluster.getNodeManager(0).getNMContext().getContainerManager();
    AMRMProxyTokenSecretManager amrmTokenSecretManager = containerManager.getAMRMProxyService().getSecretManager();
    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> token = amrmTokenSecretManager.createAndGetAMRMToken(report.getCurrentApplicationAttemptId());
    SecurityUtil.setTokenService(token, containerManager.getAMRMProxyService().getBindAddress());
    user.addToken(token);
    return user.doAs(new PrivilegedExceptionAction<ApplicationMasterProtocol>() {

        @Override
        public ApplicationMasterProtocol run() throws Exception {
            return ClientRMProxy.createRMProxy(yarnConf, ApplicationMasterProtocol.class);
        }
    });
}
Also used : AMRMProxyTokenSecretManager(org.apache.hadoop.yarn.server.nodemanager.amrmproxy.AMRMProxyTokenSecretManager) ApplicationMasterProtocol(org.apache.hadoop.yarn.api.ApplicationMasterProtocol) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) IOException(java.io.IOException) ApplicationReport(org.apache.hadoop.yarn.api.records.ApplicationReport) ContainerManagerImpl(org.apache.hadoop.yarn.server.nodemanager.containermanager.ContainerManagerImpl) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

AMRMTokenIdentifier (org.apache.hadoop.yarn.security.AMRMTokenIdentifier)48 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)21 Text (org.apache.hadoop.io.Text)17 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)17 Test (org.junit.Test)13 IOException (java.io.IOException)12 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)11 Token (org.apache.hadoop.security.token.Token)9 AllocateResponse (org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse)9 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)7 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)7 Credentials (org.apache.hadoop.security.Credentials)6 ContainerId (org.apache.hadoop.yarn.api.records.ContainerId)6 MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)6 File (java.io.File)5 ArrayList (java.util.ArrayList)5 Configuration (org.apache.hadoop.conf.Configuration)5 AllocateRequest (org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest)5 NMToken (org.apache.hadoop.yarn.api.records.NMToken)5 Token (org.apache.hadoop.yarn.api.records.Token)5