Search in sources :

Example 36 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class AMRMProxyService method processApplicationStartRequest.

/**
   * Callback from the ContainerManager implementation for initializing the
   * application request processing pipeline.
   *
   * @param request - encapsulates information for starting an AM
   * @throws IOException
   * @throws YarnException
   */
public void processApplicationStartRequest(StartContainerRequest request) throws IOException, YarnException {
    LOG.info("Callback received for initializing request " + "processing pipeline for an AM");
    ContainerTokenIdentifier containerTokenIdentifierForKey = BuilderUtils.newContainerTokenIdentifier(request.getContainerToken());
    ApplicationAttemptId appAttemptId = containerTokenIdentifierForKey.getContainerID().getApplicationAttemptId();
    Credentials credentials = YarnServerSecurityUtils.parseCredentials(request.getContainerLaunchContext());
    Token<AMRMTokenIdentifier> amrmToken = getFirstAMRMToken(credentials.getAllTokens());
    if (amrmToken == null) {
        throw new YarnRuntimeException("AMRMToken not found in the start container request for application:" + appAttemptId.toString());
    }
    // Substitute the existing AMRM Token with a local one. Keep the rest of the
    // tokens in the credentials intact.
    Token<AMRMTokenIdentifier> localToken = this.secretManager.createAndGetAMRMToken(appAttemptId);
    credentials.addToken(localToken.getService(), localToken);
    DataOutputBuffer dob = new DataOutputBuffer();
    credentials.writeTokenStorageToStream(dob);
    request.getContainerLaunchContext().setTokens(ByteBuffer.wrap(dob.getData(), 0, dob.getLength()));
    initializePipeline(containerTokenIdentifierForKey.getContainerID().getApplicationAttemptId(), containerTokenIdentifierForKey.getApplicationSubmitter(), amrmToken, localToken);
}
Also used : YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) DataOutputBuffer(org.apache.hadoop.io.DataOutputBuffer) ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId) Credentials(org.apache.hadoop.security.Credentials) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier)

Example 37 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class AMRMProxyService method updateAMRMTokens.

private void updateAMRMTokens(AMRMTokenIdentifier amrmTokenIdentifier, RequestInterceptorChainWrapper pipeline, AllocateResponse allocateResponse) {
    AMRMProxyApplicationContextImpl context = (AMRMProxyApplicationContextImpl) pipeline.getRootInterceptor().getApplicationContext();
    // the real ARMRMToken in the current context
    if (allocateResponse.getAMRMToken() != null) {
        LOG.info("RM rolled master-key for amrm-tokens");
        org.apache.hadoop.yarn.api.records.Token token = allocateResponse.getAMRMToken();
        // Do not propagate this info back to AM
        allocateResponse.setAMRMToken(null);
        org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> newTokenId = new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
        context.setAMRMToken(newTokenId);
    }
    // Check if the local AMRMToken is rolled up and update the context and
    // response accordingly
    MasterKeyData nextMasterKey = this.secretManager.getNextMasterKeyData();
    if (nextMasterKey != null && nextMasterKey.getMasterKey().getKeyId() != amrmTokenIdentifier.getKeyId()) {
        Token<AMRMTokenIdentifier> localToken = context.getLocalAMRMToken();
        if (nextMasterKey.getMasterKey().getKeyId() != context.getLocalAMRMTokenKeyId()) {
            LOG.info("The local AMRMToken has been rolled-over." + " Send new local AMRMToken back to application: " + pipeline.getApplicationId());
            localToken = this.secretManager.createAndGetAMRMToken(pipeline.getApplicationAttemptId());
            context.setLocalAMRMToken(localToken);
        }
        allocateResponse.setAMRMToken(org.apache.hadoop.yarn.api.records.Token.newInstance(localToken.getIdentifier(), localToken.getKind().toString(), localToken.getPassword(), localToken.getService().toString()));
    }
}
Also used : Token(org.apache.hadoop.security.token.Token) Text(org.apache.hadoop.io.Text) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) MasterKeyData(org.apache.hadoop.yarn.server.security.MasterKeyData)

Example 38 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class DefaultRequestInterceptor method updateAMRMToken.

private void updateAMRMToken(Token token) throws IOException {
    org.apache.hadoop.security.token.Token<AMRMTokenIdentifier> amrmToken = new org.apache.hadoop.security.token.Token<AMRMTokenIdentifier>(token.getIdentifier().array(), token.getPassword().array(), new Text(token.getKind()), new Text(token.getService()));
    // Preserve the token service sent by the RM when adding the token
    // to ensure we replace the previous token setup by the RM.
    // Afterwards we can update the service address for the RPC layer.
    user.addToken(amrmToken);
    amrmToken.setService(ClientRMProxy.getAMRMTokenService(getConf()));
}
Also used : AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) Token(org.apache.hadoop.yarn.api.records.Token) Text(org.apache.hadoop.io.Text)

Example 39 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class MockResourceManagerFacade method getAppIdentifier.

private static String getAppIdentifier() throws IOException {
    AMRMTokenIdentifier result = null;
    UserGroupInformation remoteUgi = UserGroupInformation.getCurrentUser();
    Set<TokenIdentifier> tokenIds = remoteUgi.getTokenIdentifiers();
    for (TokenIdentifier tokenId : tokenIds) {
        if (tokenId instanceof AMRMTokenIdentifier) {
            result = (AMRMTokenIdentifier) tokenId;
            break;
        }
    }
    return result != null ? result.getApplicationAttemptId().toString() : "";
}
Also used : AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 40 with AMRMTokenIdentifier

use of org.apache.hadoop.yarn.security.AMRMTokenIdentifier in project hadoop by apache.

the class ApplicationMasterService method allocate.

@Override
public AllocateResponse allocate(AllocateRequest request) throws YarnException, IOException {
    AMRMTokenIdentifier amrmTokenIdentifier = YarnServerSecurityUtils.authorizeRequest();
    ApplicationAttemptId appAttemptId = amrmTokenIdentifier.getApplicationAttemptId();
    this.amLivelinessMonitor.receivedPing(appAttemptId);
    /* check if its in cache */
    AllocateResponseLock lock = responseMap.get(appAttemptId);
    if (lock == null) {
        String message = "Application attempt " + appAttemptId + " doesn't exist in ApplicationMasterService cache.";
        LOG.error(message);
        throw new ApplicationAttemptNotFoundException(message);
    }
    synchronized (lock) {
        AllocateResponse lastResponse = lock.getAllocateResponse();
        if (!hasApplicationMasterRegistered(appAttemptId)) {
            String message = "AM is not registered for known application attempt: " + appAttemptId + " or RM had restarted after AM registered. " + " AM should re-register.";
            throw new ApplicationMasterNotRegisteredException(message);
        }
        if ((request.getResponseId() + 1) == lastResponse.getResponseId()) {
            /* old heartbeat */
            return lastResponse;
        } else if (request.getResponseId() + 1 < lastResponse.getResponseId()) {
            String message = "Invalid responseId in AllocateRequest from application attempt: " + appAttemptId + ", expect responseId to be " + (lastResponse.getResponseId() + 1);
            throw new InvalidApplicationMasterRequestException(message);
        }
        AllocateResponse response = recordFactory.newRecordInstance(AllocateResponse.class);
        allocateInternal(amrmTokenIdentifier.getApplicationAttemptId(), request, response);
        // update AMRMToken if the token is rolled-up
        MasterKeyData nextMasterKey = this.rmContext.getAMRMTokenSecretManager().getNextMasterKeyData();
        if (nextMasterKey != null && nextMasterKey.getMasterKey().getKeyId() != amrmTokenIdentifier.getKeyId()) {
            RMApp app = this.rmContext.getRMApps().get(appAttemptId.getApplicationId());
            RMAppAttempt appAttempt = app.getRMAppAttempt(appAttemptId);
            RMAppAttemptImpl appAttemptImpl = (RMAppAttemptImpl) appAttempt;
            Token<AMRMTokenIdentifier> amrmToken = appAttempt.getAMRMToken();
            if (nextMasterKey.getMasterKey().getKeyId() != appAttemptImpl.getAMRMTokenKeyId()) {
                LOG.info("The AMRMToken has been rolled-over. Send new AMRMToken back" + " to application: " + appAttemptId.getApplicationId());
                amrmToken = rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken(appAttemptId);
                appAttemptImpl.setAMRMToken(amrmToken);
            }
            response.setAMRMToken(org.apache.hadoop.yarn.api.records.Token.newInstance(amrmToken.getIdentifier(), amrmToken.getKind().toString(), amrmToken.getPassword(), amrmToken.getService().toString()));
        }
        /*
       * As we are updating the response inside the lock object so we don't
       * need to worry about unregister call occurring in between (which
       * removes the lock object).
       */
        response.setResponseId(lastResponse.getResponseId() + 1);
        lock.setAllocateResponse(response);
        return response;
    }
}
Also used : InvalidApplicationMasterRequestException(org.apache.hadoop.yarn.exceptions.InvalidApplicationMasterRequestException) RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) RMAppAttempt(org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt) ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId) ApplicationAttemptNotFoundException(org.apache.hadoop.yarn.exceptions.ApplicationAttemptNotFoundException) AllocateResponse(org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse) ApplicationMasterNotRegisteredException(org.apache.hadoop.yarn.exceptions.ApplicationMasterNotRegisteredException) AMRMTokenIdentifier(org.apache.hadoop.yarn.security.AMRMTokenIdentifier) RMAppAttemptImpl(org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptImpl) MasterKeyData(org.apache.hadoop.yarn.server.security.MasterKeyData)

Aggregations

AMRMTokenIdentifier (org.apache.hadoop.yarn.security.AMRMTokenIdentifier)48 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)21 Text (org.apache.hadoop.io.Text)17 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)17 Test (org.junit.Test)13 IOException (java.io.IOException)12 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)11 Token (org.apache.hadoop.security.token.Token)9 AllocateResponse (org.apache.hadoop.yarn.api.protocolrecords.AllocateResponse)9 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)7 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)7 Credentials (org.apache.hadoop.security.Credentials)6 ContainerId (org.apache.hadoop.yarn.api.records.ContainerId)6 MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)6 File (java.io.File)5 ArrayList (java.util.ArrayList)5 Configuration (org.apache.hadoop.conf.Configuration)5 AllocateRequest (org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest)5 NMToken (org.apache.hadoop.yarn.api.records.NMToken)5 Token (org.apache.hadoop.yarn.api.records.Token)5