Examples with ClientToAMTokenIdentifier org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier used on opensource projects

Example 6 with ClientToAMTokenIdentifier

use of org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier in project hadoop by apache.

the class RMAppAttemptImpl method createClientToken.

@Override
public Token<ClientToAMTokenIdentifier> createClientToken(String client) {
    this.readLock.lock();
    try {
        Token<ClientToAMTokenIdentifier> token = null;
        ClientToAMTokenSecretManagerInRM secretMgr = this.rmContext.getClientToAMTokenSecretManager();
        if (client != null && secretMgr.getMasterKey(this.applicationAttemptId) != null) {
            token = new Token<ClientToAMTokenIdentifier>(new ClientToAMTokenIdentifier(this.applicationAttemptId, client), secretMgr);
        }
        return token;
    } finally {
        this.readLock.unlock();
    }
}

Example 7 with ClientToAMTokenIdentifier

use of org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier in project hadoop by apache.

the class TestClientToAMTokens method verifyTokenWithTamperedID.

private void verifyTokenWithTamperedID(final Configuration conf, final CustomAM am, Token<ClientToAMTokenIdentifier> token) throws IOException {
    // Malicious user, messes with appId
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
    ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId(BuilderUtils.newApplicationId(am.appAttemptId.getApplicationId().getClusterTimestamp(), 42), 43), UserGroupInformation.getCurrentUser().getShortUserName());
    verifyTamperedToken(conf, am, token, ugi, maliciousID);
}

Example 8 with ClientToAMTokenIdentifier

use of org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier in project hadoop by apache.

the class TestClientToAMTokens method testClientTokenRace.

@Test(timeout = 20000)
public void testClientTokenRace() throws Exception {
    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
    UserGroupInformation.setConfiguration(conf);
    ContainerManagementProtocol containerManager = mock(ContainerManagementProtocol.class);
    StartContainersResponse mockResponse = mock(StartContainersResponse.class);
    when(containerManager.startContainers((StartContainersRequest) any())).thenReturn(mockResponse);
    final DrainDispatcher dispatcher = new DrainDispatcher();
    MockRM rm = new MockRMWithCustomAMLauncher(conf, containerManager) {

        protected ClientRMService createClientRMService() {
            return new ClientRMService(this.rmContext, scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
        }

        ;

        @Override
        protected Dispatcher createDispatcher() {
            return dispatcher;
        }

        @Override
        protected void doSecureLogin() throws IOException {
        }
    };
    rm.start();
    // Submit an app
    RMApp app = rm.submitApp(1024);
    // Set up a node.
    MockNM nm1 = rm.registerNode("localhost:1234", 3072);
    nm1.nodeHeartbeat(true);
    dispatcher.await();
    nm1.nodeHeartbeat(true);
    dispatcher.await();
    ApplicationAttemptId appAttempt = app.getCurrentAppAttempt().getAppAttemptId();
    final MockAM mockAM = new MockAM(rm.getRMContext(), rm.getApplicationMasterService(), app.getCurrentAppAttempt().getAppAttemptId());
    UserGroupInformation appUgi = UserGroupInformation.createRemoteUser(appAttempt.toString());
    RegisterApplicationMasterResponse response = appUgi.doAs(new PrivilegedAction<RegisterApplicationMasterResponse>() {

        @Override
        public RegisterApplicationMasterResponse run() {
            RegisterApplicationMasterResponse response = null;
            try {
                response = mockAM.registerAppAttempt();
            } catch (Exception e) {
                Assert.fail("Exception was not expected");
            }
            return response;
        }
    });
    // Get the app-report.
    GetApplicationReportRequest request = Records.newRecord(GetApplicationReportRequest.class);
    request.setApplicationId(app.getApplicationId());
    GetApplicationReportResponse reportResponse = rm.getClientRMService().getApplicationReport(request);
    ApplicationReport appReport = reportResponse.getApplicationReport();
    org.apache.hadoop.yarn.api.records.Token originalClientToAMToken = appReport.getClientToAMToken();
    // ClientToAMToken master key should have been received on register
    // application master response.
    final ByteBuffer clientMasterKey = response.getClientToAMTokenMasterKey();
    Assert.assertNotNull(clientMasterKey);
    Assert.assertTrue(clientMasterKey.array().length > 0);
    // Start the AM with the correct shared-secret.
    ApplicationAttemptId appAttemptId = app.getAppAttempts().keySet().iterator().next();
    Assert.assertNotNull(appAttemptId);
    final CustomAM am = new CustomAM(appAttemptId, null);
    am.init(conf);
    am.start();
    // Now the real test!
    // Set up clients to be able to pick up correct tokens.
    SecurityUtil.setSecurityInfoProviders(new CustomSecurityInfo());
    Token<ClientToAMTokenIdentifier> token = ConverterUtils.convertFromYarn(originalClientToAMToken, am.address);
    // Schedule the key to be set after a significant delay
    Timer timer = new Timer();
    TimerTask timerTask = new TimerTask() {

        @Override
        public void run() {
            am.setClientSecretKey(clientMasterKey.array());
        }
    };
    timer.schedule(timerTask, 250);
    // connect should pause waiting for the master key to arrive
    verifyValidToken(conf, am, token);
    am.stop();
    rm.stop();
}

Example 9 with ClientToAMTokenIdentifier

use of org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier in project hadoop by apache.

the class TestClientToAMTokens method verifyTokenWithTamperedUserName.

private void verifyTokenWithTamperedUserName(final Configuration conf, final CustomAM am, Token<ClientToAMTokenIdentifier> token) throws IOException {
    // Malicious user, messes with appId
    UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
    ClientToAMTokenIdentifier maliciousID = new ClientToAMTokenIdentifier(am.appAttemptId, "evilOrc");
    verifyTamperedToken(conf, am, token, ugi, maliciousID);
}

Example 10 with ClientToAMTokenIdentifier

use of org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier in project hadoop by apache.

the class TestYARNTokenIdentifier method testClientToAMTokenIdentifier.

@Test
public void testClientToAMTokenIdentifier() throws IOException {
    ApplicationAttemptId appAttemptId = ApplicationAttemptId.newInstance(ApplicationId.newInstance(1, 1), 1);
    String clientName = "user";
    ClientToAMTokenIdentifier token = new ClientToAMTokenIdentifier(appAttemptId, clientName);
    ClientToAMTokenIdentifier anotherToken = new ClientToAMTokenIdentifier();
    byte[] tokenContent = token.getBytes();
    DataInputBuffer dib = new DataInputBuffer();
    dib.reset(tokenContent, tokenContent.length);
    anotherToken.readFields(dib);
    // verify the whole record equals with original record
    Assert.assertEquals("Token is not the same after serialization " + "and deserialization.", token, anotherToken);
    Assert.assertEquals("ApplicationAttemptId from proto is not the same with original token", anotherToken.getApplicationAttemptID(), appAttemptId);
    Assert.assertEquals("clientName from proto is not the same with original token", anotherToken.getClientName(), clientName);
}