Search in sources :

Example 26 with ContainerTokenIdentifier

use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.

the class ContainerManagerImpl method increaseContainersResource.

/**
   * Increase resource of a list of containers on this NodeManager.
   */
@Override
public IncreaseContainersResourceResponse increaseContainersResource(IncreaseContainersResourceRequest requests) throws YarnException, IOException {
    if (blockNewContainerRequests.get()) {
        throw new NMNotYetReadyException("Rejecting container resource increase as NodeManager has not" + " yet connected with ResourceManager");
    }
    UserGroupInformation remoteUgi = getRemoteUgi();
    NMTokenIdentifier nmTokenIdentifier = selectNMTokenIdentifier(remoteUgi);
    authorizeUser(remoteUgi, nmTokenIdentifier);
    List<ContainerId> successfullyIncreasedContainers = new ArrayList<ContainerId>();
    Map<ContainerId, SerializedException> failedContainers = new HashMap<ContainerId, SerializedException>();
    // map in NMContext.
    synchronized (this.context) {
        // Process container resource increase requests
        for (org.apache.hadoop.yarn.api.records.Token token : requests.getContainersToIncrease()) {
            ContainerId containerId = null;
            try {
                if (token.getIdentifier() == null) {
                    throw new IOException(INVALID_CONTAINERTOKEN_MSG);
                }
                ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(token);
                verifyAndGetContainerTokenIdentifier(token, containerTokenIdentifier);
                authorizeStartAndResourceIncreaseRequest(nmTokenIdentifier, containerTokenIdentifier, false);
                containerId = containerTokenIdentifier.getContainerID();
                // Reuse the startContainer logic to update NMToken,
                // as container resource increase request will have come with
                // an updated NMToken.
                updateNMTokenIdentifier(nmTokenIdentifier);
                Resource resource = containerTokenIdentifier.getResource();
                changeContainerResourceInternal(containerId, containerTokenIdentifier.getVersion(), resource, true);
                successfullyIncreasedContainers.add(containerId);
            } catch (YarnException | InvalidToken e) {
                failedContainers.put(containerId, SerializedException.newInstance(e));
            } catch (IOException e) {
                throw RPCUtil.getRemoteException(e);
            }
        }
    }
    return IncreaseContainersResourceResponse.newInstance(successfullyIncreasedContainers, failedContainers);
}
Also used : NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier) HashMap(java.util.HashMap) SerializedException(org.apache.hadoop.yarn.api.records.SerializedException) ArrayList(java.util.ArrayList) Resource(org.apache.hadoop.yarn.api.records.Resource) NMNotYetReadyException(org.apache.hadoop.yarn.exceptions.NMNotYetReadyException) IOException(java.io.IOException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier) ContainerId(org.apache.hadoop.yarn.api.records.ContainerId) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 27 with ContainerTokenIdentifier

use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.

the class ContainerManagerImpl method selectNMTokenIdentifier.

// Obtain the needed ContainerTokenIdentifier from the remote-UGI. RPC layer
// currently sets only the required id, but iterate through anyways just to
// be sure.
@Private
@VisibleForTesting
protected NMTokenIdentifier selectNMTokenIdentifier(UserGroupInformation remoteUgi) {
    Set<TokenIdentifier> tokenIdentifiers = remoteUgi.getTokenIdentifiers();
    NMTokenIdentifier resultId = null;
    for (TokenIdentifier id : tokenIdentifiers) {
        if (id instanceof NMTokenIdentifier) {
            resultId = (NMTokenIdentifier) id;
            break;
        }
    }
    return resultId;
}
Also used : NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier) TokenIdentifier(org.apache.hadoop.security.token.TokenIdentifier) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier) NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier) VisibleForTesting(com.google.common.annotations.VisibleForTesting) Private(org.apache.hadoop.classification.InterfaceAudience.Private)

Example 28 with ContainerTokenIdentifier

use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.

the class TestContainerManager method testUnauthorizedRequests.

@Test
public void testUnauthorizedRequests() throws IOException, YarnException {
    containerManager.start();
    // Create a containerId that belongs to an unauthorized appId
    ContainerId cId = createContainerId(0, 1);
    // startContainers()
    ContainerLaunchContext containerLaunchContext = recordFactory.newRecordInstance(ContainerLaunchContext.class);
    StartContainerRequest scRequest = StartContainerRequest.newInstance(containerLaunchContext, createContainerToken(cId, DUMMY_RM_IDENTIFIER, context.getNodeId(), user, context.getContainerTokenSecretManager()));
    List<StartContainerRequest> list = new ArrayList<>();
    list.add(scRequest);
    StartContainersRequest allRequests = StartContainersRequest.newInstance(list);
    StartContainersResponse startResponse = containerManager.startContainers(allRequests);
    Assert.assertFalse("Should not be authorized to start container", startResponse.getSuccessfullyStartedContainers().contains(cId));
    Assert.assertTrue("Start container request should fail", startResponse.getFailedRequests().containsKey(cId));
    // Insert the containerId into context, make it as if it is running
    ContainerTokenIdentifier containerTokenIdentifier = BuilderUtils.newContainerTokenIdentifier(scRequest.getContainerToken());
    Container container = new ContainerImpl(conf, null, containerLaunchContext, null, metrics, containerTokenIdentifier, context);
    context.getContainers().put(cId, container);
    // stopContainers()
    List<ContainerId> containerIds = new ArrayList<>();
    containerIds.add(cId);
    StopContainersRequest stopRequest = StopContainersRequest.newInstance(containerIds);
    StopContainersResponse stopResponse = containerManager.stopContainers(stopRequest);
    Assert.assertFalse("Should not be authorized to stop container", stopResponse.getSuccessfullyStoppedContainers().contains(cId));
    Assert.assertTrue("Stop container request should fail", stopResponse.getFailedRequests().containsKey(cId));
    // getContainerStatuses()
    containerIds = new ArrayList<>();
    containerIds.add(cId);
    GetContainerStatusesRequest request = GetContainerStatusesRequest.newInstance(containerIds);
    GetContainerStatusesResponse response = containerManager.getContainerStatuses(request);
    Assert.assertEquals("Should not be authorized to get container status", response.getContainerStatuses().size(), 0);
    Assert.assertTrue("Get status request should fail", response.getFailedRequests().containsKey(cId));
}
Also used : StartContainersRequest(org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest) StartContainersResponse(org.apache.hadoop.yarn.api.protocolrecords.StartContainersResponse) GetContainerStatusesRequest(org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesRequest) ArrayList(java.util.ArrayList) ContainerLaunchContext(org.apache.hadoop.yarn.api.records.ContainerLaunchContext) StartContainerRequest(org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier) GetContainerStatusesResponse(org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesResponse) Container(org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container) ContainerId(org.apache.hadoop.yarn.api.records.ContainerId) ContainerImpl(org.apache.hadoop.yarn.server.nodemanager.containermanager.container.ContainerImpl) StopContainersRequest(org.apache.hadoop.yarn.api.protocolrecords.StopContainersRequest) StopContainersResponse(org.apache.hadoop.yarn.api.protocolrecords.StopContainersResponse) Test(org.junit.Test)

Example 29 with ContainerTokenIdentifier

use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.

the class TestContainerLaunch method createContainerToken.

protected Token createContainerToken(ContainerId cId, Priority priority, long createTime) throws InvalidToken {
    Resource r = BuilderUtils.newResource(1024, 1);
    ContainerTokenIdentifier containerTokenIdentifier = new ContainerTokenIdentifier(cId, context.getNodeId().toString(), user, r, System.currentTimeMillis() + 10000L, 123, DUMMY_RM_IDENTIFIER, priority, createTime);
    Token containerToken = BuilderUtils.newContainerToken(context.getNodeId(), context.getContainerTokenSecretManager().retrievePassword(containerTokenIdentifier), containerTokenIdentifier);
    return containerToken;
}
Also used : Resource(org.apache.hadoop.yarn.api.records.Resource) LocalResource(org.apache.hadoop.yarn.api.records.LocalResource) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) Token(org.apache.hadoop.yarn.api.records.Token) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier)

Example 30 with ContainerTokenIdentifier

use of org.apache.hadoop.yarn.security.ContainerTokenIdentifier in project hadoop by apache.

the class TestApplication method testAppFinishedOnCompletedContainers.

@Test
@SuppressWarnings("unchecked")
public void testAppFinishedOnCompletedContainers() {
    WrappedApplication wa = null;
    try {
        wa = new WrappedApplication(5, 314159265358979L, "yak", 3);
        wa.initApplication();
        wa.initContainer(-1);
        assertEquals(ApplicationState.INITING, wa.app.getApplicationState());
        wa.applicationInited();
        assertEquals(ApplicationState.RUNNING, wa.app.getApplicationState());
        reset(wa.localizerBus);
        wa.containerFinished(0);
        wa.containerFinished(1);
        wa.containerFinished(2);
        assertEquals(ApplicationState.RUNNING, wa.app.getApplicationState());
        assertEquals(0, wa.app.getContainers().size());
        wa.appFinished();
        assertEquals(ApplicationState.APPLICATION_RESOURCES_CLEANINGUP, wa.app.getApplicationState());
        verify(wa.localizerBus).handle(refEq(new ApplicationLocalizationEvent(LocalizationEventType.DESTROY_APPLICATION_RESOURCES, wa.app)));
        wa.appResourcesCleanedup();
        for (Container container : wa.containers) {
            ContainerTokenIdentifier identifier = wa.getContainerTokenIdentifier(container.getContainerId());
            waitForContainerTokenToExpire(identifier);
            Assert.assertTrue(wa.context.getContainerTokenSecretManager().isValidStartContainerRequest(identifier));
        }
        assertEquals(ApplicationState.FINISHED, wa.app.getApplicationState());
    } finally {
        if (wa != null)
            wa.finished();
    }
}
Also used : Container(org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container) ApplicationLocalizationEvent(org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.event.ApplicationLocalizationEvent) ContainerTokenIdentifier(org.apache.hadoop.yarn.security.ContainerTokenIdentifier) Test(org.junit.Test)

Aggregations

ContainerTokenIdentifier (org.apache.hadoop.yarn.security.ContainerTokenIdentifier)32 ContainerId (org.apache.hadoop.yarn.api.records.ContainerId)19 ArrayList (java.util.ArrayList)14 Resource (org.apache.hadoop.yarn.api.records.Resource)13 Token (org.apache.hadoop.yarn.api.records.Token)13 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)12 Test (org.junit.Test)11 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)10 StartContainerRequest (org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest)9 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)8 NodeId (org.apache.hadoop.yarn.api.records.NodeId)8 Container (org.apache.hadoop.yarn.api.records.Container)7 ContainerLaunchContext (org.apache.hadoop.yarn.api.records.ContainerLaunchContext)7 IOException (java.io.IOException)6 HashMap (java.util.HashMap)6 StartContainersRequest (org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest)5 LocalResource (org.apache.hadoop.yarn.api.records.LocalResource)5 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)5 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)5 YarnRPC (org.apache.hadoop.yarn.ipc.YarnRPC)5