Example 1 with NMTokenIdentifier
use of org.apache.hadoop.yarn.security.NMTokenIdentifier in project hadoop by apache.
the class ContainerManagerImpl method preReInitializeOrLocalizeCheck.
private Container preReInitializeOrLocalizeCheck(ContainerId containerId, ReInitOp op) throws YarnException {
UserGroupInformation remoteUgi = getRemoteUgi();
NMTokenIdentifier nmTokenIdentifier = selectNMTokenIdentifier(remoteUgi);
authorizeUser(remoteUgi, nmTokenIdentifier);
if (!nmTokenIdentifier.getApplicationAttemptId().getApplicationId().equals(containerId.getApplicationAttemptId().getApplicationId())) {
throw new YarnException("ApplicationMaster not authorized to perform " + "[" + op + "] on Container [" + containerId + "]!!");
}
Container container = context.getContainers().get(containerId);
if (container == null) {
throw new YarnException("Specified " + containerId + " does not exist!");
}
if (!container.isRunning() || container.isReInitializing()) {
throw new YarnException("Cannot perform " + op + " on [" + containerId + "]. Current state is [" + container.getContainerState() + ", " + "isReInitializing=" + container.isReInitializing() + "].");
}
return container;
}
Also used :
NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier)
Container(org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 2 with NMTokenIdentifier
use of org.apache.hadoop.yarn.security.NMTokenIdentifier in project hadoop by apache.
the class ContainerManagerImpl method getContainerStatuses.
/**
* Get a list of container statuses running on this NodeManager
*/
@Override
public GetContainerStatusesResponse getContainerStatuses(GetContainerStatusesRequest request) throws YarnException, IOException {
List<ContainerStatus> succeededRequests = new ArrayList<ContainerStatus>();
Map<ContainerId, SerializedException> failedRequests = new HashMap<ContainerId, SerializedException>();
UserGroupInformation remoteUgi = getRemoteUgi();
NMTokenIdentifier identifier = selectNMTokenIdentifier(remoteUgi);
if (identifier == null) {
throw RPCUtil.getRemoteException(INVALID_NMTOKEN_MSG);
}
for (ContainerId id : request.getContainerIds()) {
try {
ContainerStatus status = getContainerStatusInternal(id, identifier);
succeededRequests.add(status);
} catch (YarnException e) {
failedRequests.put(id, SerializedException.newInstance(e));
}
}
return GetContainerStatusesResponse.newInstance(succeededRequests, failedRequests);
}
Also used :
NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier)
RecoveredContainerStatus(org.apache.hadoop.yarn.server.nodemanager.recovery.NMStateStoreService.RecoveredContainerStatus)
ContainerStatus(org.apache.hadoop.yarn.api.records.ContainerStatus)
HashMap(java.util.HashMap)
ContainerId(org.apache.hadoop.yarn.api.records.ContainerId)
SerializedException(org.apache.hadoop.yarn.api.records.SerializedException)
ArrayList(java.util.ArrayList)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 3 with NMTokenIdentifier
use of org.apache.hadoop.yarn.security.NMTokenIdentifier in project hadoop by apache.
the class DummyContainerManager method getRemoteUgi.
@Override
protected UserGroupInformation getRemoteUgi() throws YarnException {
ApplicationId appId = ApplicationId.newInstance(0, 0);
ApplicationAttemptId appAttemptId = ApplicationAttemptId.newInstance(appId, 1);
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(appAttemptId.toString());
ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, getContext().getNodeId(), "testuser", getContext().getNMTokenSecretManager().getCurrentKey().getKeyId()));
return ugi;
}
Also used :
NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier)
ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId)
ApplicationId(org.apache.hadoop.yarn.api.records.ApplicationId)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 4 with NMTokenIdentifier
use of org.apache.hadoop.yarn.security.NMTokenIdentifier in project hadoop by apache.
the class TestNMTokenSecretManagerInNM method testRecovery.
@Test
public void testRecovery() throws IOException {
YarnConfiguration conf = new YarnConfiguration();
conf.setBoolean(YarnConfiguration.NM_RECOVERY_ENABLED, true);
final NodeId nodeId = NodeId.newInstance("somehost", 1234);
final ApplicationAttemptId attempt1 = ApplicationAttemptId.newInstance(ApplicationId.newInstance(1, 1), 1);
final ApplicationAttemptId attempt2 = ApplicationAttemptId.newInstance(ApplicationId.newInstance(2, 2), 2);
NMTokenKeyGeneratorForTest keygen = new NMTokenKeyGeneratorForTest();
NMMemoryStateStoreService stateStore = new NMMemoryStateStoreService();
stateStore.init(conf);
stateStore.start();
NMTokenSecretManagerInNM secretMgr = new NMTokenSecretManagerInNM(stateStore);
secretMgr.setNodeId(nodeId);
MasterKey currentKey = keygen.generateKey();
secretMgr.setMasterKey(currentKey);
NMTokenIdentifier attemptToken1 = getNMTokenId(secretMgr.createNMToken(attempt1, nodeId, "user1"));
NMTokenIdentifier attemptToken2 = getNMTokenId(secretMgr.createNMToken(attempt2, nodeId, "user2"));
secretMgr.appAttemptStartContainer(attemptToken1);
secretMgr.appAttemptStartContainer(attemptToken2);
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt1));
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt2));
assertNotNull(secretMgr.retrievePassword(attemptToken1));
assertNotNull(secretMgr.retrievePassword(attemptToken2));
// restart and verify key is still there and token still valid
secretMgr = new NMTokenSecretManagerInNM(stateStore);
secretMgr.recover();
secretMgr.setNodeId(nodeId);
assertEquals(currentKey, secretMgr.getCurrentKey());
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt1));
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt2));
assertNotNull(secretMgr.retrievePassword(attemptToken1));
assertNotNull(secretMgr.retrievePassword(attemptToken2));
// roll master key and remove an app
currentKey = keygen.generateKey();
secretMgr.setMasterKey(currentKey);
secretMgr.appFinished(attempt1.getApplicationId());
// restart and verify attempt1 key is still valid due to prev key persist
secretMgr = new NMTokenSecretManagerInNM(stateStore);
secretMgr.recover();
secretMgr.setNodeId(nodeId);
assertEquals(currentKey, secretMgr.getCurrentKey());
assertFalse(secretMgr.isAppAttemptNMTokenKeyPresent(attempt1));
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt2));
assertNotNull(secretMgr.retrievePassword(attemptToken1));
assertNotNull(secretMgr.retrievePassword(attemptToken2));
// roll master key again, restart, and verify attempt1 key is bad but
// attempt2 is still good due to app key persist
currentKey = keygen.generateKey();
secretMgr.setMasterKey(currentKey);
secretMgr = new NMTokenSecretManagerInNM(stateStore);
secretMgr.recover();
secretMgr.setNodeId(nodeId);
assertEquals(currentKey, secretMgr.getCurrentKey());
assertFalse(secretMgr.isAppAttemptNMTokenKeyPresent(attempt1));
assertTrue(secretMgr.isAppAttemptNMTokenKeyPresent(attempt2));
try {
secretMgr.retrievePassword(attemptToken1);
fail("attempt token should not still be valid");
} catch (InvalidToken e) {
// expected
}
assertNotNull(secretMgr.retrievePassword(attemptToken2));
// remove last attempt, restart, verify both tokens are now bad
secretMgr.appFinished(attempt2.getApplicationId());
secretMgr = new NMTokenSecretManagerInNM(stateStore);
secretMgr.recover();
secretMgr.setNodeId(nodeId);
assertEquals(currentKey, secretMgr.getCurrentKey());
assertFalse(secretMgr.isAppAttemptNMTokenKeyPresent(attempt1));
assertFalse(secretMgr.isAppAttemptNMTokenKeyPresent(attempt2));
try {
secretMgr.retrievePassword(attemptToken1);
fail("attempt token should not still be valid");
} catch (InvalidToken e) {
// expected
}
try {
secretMgr.retrievePassword(attemptToken2);
fail("attempt token should not still be valid");
} catch (InvalidToken e) {
// expected
}
stateStore.close();
}
Also used :
NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
MasterKey(org.apache.hadoop.yarn.server.api.records.MasterKey)
NodeId(org.apache.hadoop.yarn.api.records.NodeId)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
ApplicationAttemptId(org.apache.hadoop.yarn.api.records.ApplicationAttemptId)
NMMemoryStateStoreService(org.apache.hadoop.yarn.server.nodemanager.recovery.NMMemoryStateStoreService)
Test(org.junit.Test)
Example 5 with NMTokenIdentifier
use of org.apache.hadoop.yarn.security.NMTokenIdentifier in project hadoop by apache.
the class BaseNMTokenSecretManager method createNMToken.
/**
* Helper function for creating NMTokens.
*/
public Token createNMToken(ApplicationAttemptId applicationAttemptId, NodeId nodeId, String applicationSubmitter) {
byte[] password;
NMTokenIdentifier identifier;
this.readLock.lock();
try {
identifier = new NMTokenIdentifier(applicationAttemptId, nodeId, applicationSubmitter, this.currentMasterKey.getMasterKey().getKeyId());
password = this.createPassword(identifier);
} finally {
this.readLock.unlock();
}
return newInstance(password, identifier);
}
Also used :
NMTokenIdentifier(org.apache.hadoop.yarn.security.NMTokenIdentifier)
Aggregations
NMTokenIdentifier (org.apache.hadoop.yarn.security.NMTokenIdentifier)20
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)16
ArrayList (java.util.ArrayList)10
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)10
ContainerId (org.apache.hadoop.yarn.api.records.ContainerId)9
IOException (java.io.IOException)7
HashMap (java.util.HashMap)6
ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)6
StartContainerRequest (org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
ContainerTokenIdentifier (org.apache.hadoop.yarn.security.ContainerTokenIdentifier)5
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)4
NodeId (org.apache.hadoop.yarn.api.records.NodeId)4
SerializedException (org.apache.hadoop.yarn.api.records.SerializedException)4
Container (org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container)4
UnsupportedFileSystemException (org.apache.hadoop.fs.UnsupportedFileSystemException)3
GetContainerStatusesRequest (org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesRequest)3
StartContainersRequest (org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest)3
ContainerStatus (org.apache.hadoop.yarn.api.records.ContainerStatus)3
Test (org.junit.Test)3
