use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.
the class ContainerManagerImpl method increaseContainersResource.
/**
* Increase resource of a list of containers on this NodeManager.
*/
@Override
public IncreaseContainersResourceResponse increaseContainersResource(IncreaseContainersResourceRequest requests) throws YarnException, IOException {
if (blockNewContainerRequests.get()) {
throw new NMNotYetReadyException("Rejecting container resource increase as NodeManager has not" + " yet connected with ResourceManager");
}
UserGroupInformation remoteUgi = getRemoteUgi();
NMTokenIdentifier nmTokenIdentifier = selectNMTokenIdentifier(remoteUgi);
authorizeUser(remoteUgi, nmTokenIdentifier);
List<ContainerId> successfullyIncreasedContainers = new ArrayList<ContainerId>();
Map<ContainerId, SerializedException> failedContainers = new HashMap<ContainerId, SerializedException>();
// map in NMContext.
synchronized (this.context) {
// Process container resource increase requests
for (org.apache.hadoop.yarn.api.records.Token token : requests.getContainersToIncrease()) {
ContainerId containerId = null;
try {
if (token.getIdentifier() == null) {
throw new IOException(INVALID_CONTAINERTOKEN_MSG);
}
ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(token);
verifyAndGetContainerTokenIdentifier(token, containerTokenIdentifier);
authorizeStartAndResourceIncreaseRequest(nmTokenIdentifier, containerTokenIdentifier, false);
containerId = containerTokenIdentifier.getContainerID();
// Reuse the startContainer logic to update NMToken,
// as container resource increase request will have come with
// an updated NMToken.
updateNMTokenIdentifier(nmTokenIdentifier);
Resource resource = containerTokenIdentifier.getResource();
changeContainerResourceInternal(containerId, containerTokenIdentifier.getVersion(), resource, true);
successfullyIncreasedContainers.add(containerId);
} catch (YarnException | InvalidToken e) {
failedContainers.put(containerId, SerializedException.newInstance(e));
} catch (IOException e) {
throw RPCUtil.getRemoteException(e);
}
}
}
return IncreaseContainersResourceResponse.newInstance(successfullyIncreasedContainers, failedContainers);
}
use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.
the class ContainerManagerImpl method selectNMTokenIdentifier.
// Obtain the needed ContainerTokenIdentifier from the remote-UGI. RPC layer
// currently sets only the required id, but iterate through anyways just to
// be sure.
@Private
@VisibleForTesting
protected NMTokenIdentifier selectNMTokenIdentifier(UserGroupInformation remoteUgi) {
Set<TokenIdentifier> tokenIdentifiers = remoteUgi.getTokenIdentifiers();
NMTokenIdentifier resultId = null;
for (TokenIdentifier id : tokenIdentifiers) {
if (id instanceof NMTokenIdentifier) {
resultId = (NMTokenIdentifier) id;
break;
}
}
return resultId;
}
use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.
the class TestContainerManager method testUnauthorizedRequests.
@Test
public void testUnauthorizedRequests() throws IOException, YarnException {
containerManager.start();
// Create a containerId that belongs to an unauthorized appId
ContainerId cId = createContainerId(0, 1);
// startContainers()
ContainerLaunchContext containerLaunchContext = recordFactory.newRecordInstance(ContainerLaunchContext.class);
StartContainerRequest scRequest = StartContainerRequest.newInstance(containerLaunchContext, createContainerToken(cId, DUMMY_RM_IDENTIFIER, context.getNodeId(), user, context.getContainerTokenSecretManager()));
List<StartContainerRequest> list = new ArrayList<>();
list.add(scRequest);
StartContainersRequest allRequests = StartContainersRequest.newInstance(list);
StartContainersResponse startResponse = containerManager.startContainers(allRequests);
Assert.assertFalse("Should not be authorized to start container", startResponse.getSuccessfullyStartedContainers().contains(cId));
Assert.assertTrue("Start container request should fail", startResponse.getFailedRequests().containsKey(cId));
// Insert the containerId into context, make it as if it is running
ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(scRequest.getContainerToken());
Container container = new ContainerImpl(conf, null, containerLaunchContext, null, metrics, containerTokenIdentifier, context);
context.getContainers().put(cId, container);
// stopContainers()
List<ContainerId> containerIds = new ArrayList<>();
containerIds.add(cId);
StopContainersRequest stopRequest = StopContainersRequest.newInstance(containerIds);
StopContainersResponse stopResponse = containerManager.stopContainers(stopRequest);
Assert.assertFalse("Should not be authorized to stop container", stopResponse.getSuccessfullyStoppedContainers().contains(cId));
Assert.assertTrue("Stop container request should fail", stopResponse.getFailedRequests().containsKey(cId));
// getContainerStatuses()
containerIds = new ArrayList<>();
containerIds.add(cId);
GetContainerStatusesRequest request = GetContainerStatusesRequest.newInstance(containerIds);
GetContainerStatusesResponse response = containerManager.getContainerStatuses(request);
Assert.assertEquals("Should not be authorized to get container status", response.getContainerStatuses().size(), 0);
Assert.assertTrue("Get status request should fail", response.getFailedRequests().containsKey(cId));
}
use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.
the class TestContainerLaunch method createContainerToken.
protected Token createContainerToken(ContainerId cId, Priority priority, long createTime) throws InvalidToken {
Resource r = BuilderUtils.newResource(1024, 1);
ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(cId, context.getNodeId().toString(), user, r, System.currentTimeMillis() + 10000L, 123, DUMMY_RM_IDENTIFIER, priority, createTime);
Token containerToken = BuilderUtils.newContainerToken(context.getNodeId(), context.getContainerTokenSecretManager().retrievePassword(containerTokenIdentifier), containerTokenIdentifier);
return containerToken;
}
use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.
the class TestApplication method testAppFinishedOnCompletedContainers.
@Test
@SuppressWarnings("unchecked")
public void testAppFinishedOnCompletedContainers() {
WrappedApplication wa = null;
try {
wa = new WrappedApplication(5, 314159265358979L, "yak", 3);
wa.initApplication();
wa.initContainer(-1);
assertEquals(ApplicationState.INITING, wa.app.getApplicationState());
wa.applicationInited();
assertEquals(ApplicationState.RUNNING, wa.app.getApplicationState());
reset(wa.localizerBus);
wa.containerFinished(0);
wa.containerFinished(1);
wa.containerFinished(2);
assertEquals(ApplicationState.RUNNING, wa.app.getApplicationState());
assertEquals(0, wa.app.getContainers().size());
wa.appFinished();
assertEquals(ApplicationState.APPLICATION_RESOURCES_CLEANINGUP, wa.app.getApplicationState());
verify(wa.localizerBus).handle(refEq(new ApplicationLocalizationEvent(LocalizationEventType.DESTROY_APPLICATION_RESOURCES, wa.app)));
wa.appResourcesCleanedup();
for (Container container : wa.containers) {
ContainerTokenIdentifier identifier = wa.getContainerTokenIdentifier(container.getContainerId());
waitForContainerTokenToExpire(identifier);
Assert.assertTrue(wa.context.getContainerTokenSecretManager().isValidStartContainerRequest(identifier));
}
assertEquals(ApplicationState.FINISHED, wa.app.getApplicationState());
} finally {
if (wa != null)
wa.finished();
}
}
Aggregations