Examples with RMDelegationTokenIdentifier org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier used on opensource projects

Search in sources :

Example 11 with RMDelegationTokenIdentifier

use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.

the class ClientRMService method cancelDelegationToken.

@Override
public CancelDelegationTokenResponse cancelDelegationToken(CancelDelegationTokenRequest request) throws YarnException {
    try {
        if (!isAllowedDelegationTokenOp()) {
            throw new IOException("Delegation Token can be cancelled only with kerberos authentication");
        }
        org.apache.hadoop.yarn.api.records.Token protoToken = request.getDelegationToken();
        Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>(protoToken.getIdentifier().array(), protoToken.getPassword().array(), new Text(protoToken.getKind()), new Text(protoToken.getService()));
        String user = UserGroupInformation.getCurrentUser().getUserName();
        rmDTSecretManager.cancelToken(token, user);
        return Records.newRecord(CancelDelegationTokenResponse.class);
    } catch (IOException e) {
        throw RPCUtil.getRemoteException(e);
    }
}
Also used : Token(org.apache.hadoop.security.token.Token) Text(org.apache.hadoop.io.Text) IOException(java.io.IOException) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)

Example 12 with RMDelegationTokenIdentifier

use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.

the class RMWebServices method renewDelegationToken.

private Response renewDelegationToken(DelegationToken tokenData, HttpServletRequest hsr, UserGroupInformation callerUGI) throws AuthorizationException, IOException, InterruptedException, Exception {
    Token<RMDelegationTokenIdentifier> token = extractToken(tokenData.getToken());
    org.apache.hadoop.yarn.api.records.Token dToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
    final RenewDelegationTokenRequest req = RenewDelegationTokenRequest.newInstance(dToken);
    RenewDelegationTokenResponse resp;
    try {
        resp = callerUGI.doAs(new PrivilegedExceptionAction<RenewDelegationTokenResponse>() {

            @Override
            public RenewDelegationTokenResponse run() throws IOException, YarnException {
                return rm.getClientRMService().renewDelegationToken(req);
            }
        });
    } catch (UndeclaredThrowableException ue) {
        if (ue.getCause() instanceof YarnException) {
            if (ue.getCause().getCause() instanceof InvalidToken) {
                throw new BadRequestException(ue.getCause().getCause().getMessage());
            } else if (ue.getCause().getCause() instanceof org.apache.hadoop.security.AccessControlException) {
                return Response.status(Status.FORBIDDEN).entity(ue.getCause().getCause().getMessage()).build();
            }
            LOG.info("Renew delegation token request failed", ue);
            throw ue;
        }
        LOG.info("Renew delegation token request failed", ue);
        throw ue;
    } catch (Exception e) {
        LOG.info("Renew delegation token request failed", e);
        throw e;
    }
    long renewTime = resp.getNextExpirationTime();
    DelegationToken respToken = new DelegationToken();
    respToken.setNextExpirationTime(renewTime);
    return Response.status(Status.OK).entity(respToken).build();
}
Also used : RenewDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenRequest) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) AccessControlException(java.security.AccessControlException) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) RenewDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenResponse) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) ForbiddenException(org.apache.hadoop.yarn.webapp.ForbiddenException) NotFoundException(org.apache.hadoop.yarn.webapp.NotFoundException) IOException(java.io.IOException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) ParseException(java.text.ParseException) AccessControlException(java.security.AccessControlException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException)

Example 13 with RMDelegationTokenIdentifier

use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.

the class RMWebServices method createDelegationToken.

private Response createDelegationToken(DelegationToken tokenData, HttpServletRequest hsr, UserGroupInformation callerUGI) throws AuthorizationException, IOException, InterruptedException, Exception {
    final String renewer = tokenData.getRenewer();
    GetDelegationTokenResponse resp;
    try {
        resp = callerUGI.doAs(new PrivilegedExceptionAction<GetDelegationTokenResponse>() {

            @Override
            public GetDelegationTokenResponse run() throws IOException, YarnException {
                GetDelegationTokenRequest createReq = GetDelegationTokenRequest.newInstance(renewer);
                return rm.getClientRMService().getDelegationToken(createReq);
            }
        });
    } catch (Exception e) {
        LOG.info("Create delegation token request failed", e);
        throw e;
    }
    Token<RMDelegationTokenIdentifier> tk = new Token<RMDelegationTokenIdentifier>(resp.getRMDelegationToken().getIdentifier().array(), resp.getRMDelegationToken().getPassword().array(), new Text(resp.getRMDelegationToken().getKind()), new Text(resp.getRMDelegationToken().getService()));
    RMDelegationTokenIdentifier identifier = tk.decodeIdentifier();
    long currentExpiration = rm.getRMContext().getRMDelegationTokenSecretManager().getRenewDate(identifier);
    DelegationToken respToken = new DelegationToken(tk.encodeToUrlString(), renewer, identifier.getOwner().toString(), tk.getKind().toString(), currentExpiration, identifier.getMaxDate());
    return Response.status(Status.OK).entity(respToken).build();
}
Also used : GetDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest) GetDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken) Token(org.apache.hadoop.security.token.Token) DelegationToken(org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken) Text(org.apache.hadoop.io.Text) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) ForbiddenException(org.apache.hadoop.yarn.webapp.ForbiddenException) NotFoundException(org.apache.hadoop.yarn.webapp.NotFoundException) IOException(java.io.IOException) YarnRuntimeException(org.apache.hadoop.yarn.exceptions.YarnRuntimeException) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) ParseException(java.text.ParseException) AccessControlException(java.security.AccessControlException) YarnException(org.apache.hadoop.yarn.exceptions.YarnException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) BadRequestException(org.apache.hadoop.yarn.webapp.BadRequestException)

Example 14 with RMDelegationTokenIdentifier

use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.

the class TestYARNRunner method testGetHSDelegationToken.

@Test(timeout = 20000)
public void testGetHSDelegationToken() throws Exception {
    try {
        Configuration conf = new Configuration();
        // Setup mock service
        InetSocketAddress mockRmAddress = new InetSocketAddress("localhost", 4444);
        Text rmTokenSevice = SecurityUtil.buildTokenService(mockRmAddress);
        InetSocketAddress mockHsAddress = new InetSocketAddress("localhost", 9200);
        Text hsTokenSevice = SecurityUtil.buildTokenService(mockHsAddress);
        // Setup mock rm token
        RMDelegationTokenIdentifier tokenIdentifier = new RMDelegationTokenIdentifier(new Text("owner"), new Text("renewer"), new Text("real"));
        Token<RMDelegationTokenIdentifier> token = new Token<RMDelegationTokenIdentifier>(new byte[0], new byte[0], tokenIdentifier.getKind(), rmTokenSevice);
        token.setKind(RMDelegationTokenIdentifier.KIND_NAME);
        // Setup mock history token
        org.apache.hadoop.yarn.api.records.Token historyToken = org.apache.hadoop.yarn.api.records.Token.newInstance(new byte[0], MRDelegationTokenIdentifier.KIND_NAME.toString(), new byte[0], hsTokenSevice.toString());
        GetDelegationTokenResponse getDtResponse = Records.newRecord(GetDelegationTokenResponse.class);
        getDtResponse.setDelegationToken(historyToken);
        // mock services
        MRClientProtocol mockHsProxy = mock(MRClientProtocol.class);
        doReturn(mockHsAddress).when(mockHsProxy).getConnectAddress();
        doReturn(getDtResponse).when(mockHsProxy).getDelegationToken(any(GetDelegationTokenRequest.class));
        ResourceMgrDelegate rmDelegate = mock(ResourceMgrDelegate.class);
        doReturn(rmTokenSevice).when(rmDelegate).getRMDelegationTokenService();
        ClientCache clientCache = mock(ClientCache.class);
        doReturn(mockHsProxy).when(clientCache).getInitializedHSProxy();
        Credentials creds = new Credentials();
        YARNRunner yarnRunner = new YARNRunner(conf, rmDelegate, clientCache);
        // No HS token if no RM token
        yarnRunner.addHistoryToken(creds);
        verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class));
        // No HS token if RM token, but secirity disabled.
        creds.addToken(new Text("rmdt"), token);
        yarnRunner.addHistoryToken(creds);
        verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class));
        conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
        UserGroupInformation.setConfiguration(conf);
        creds = new Credentials();
        // No HS token if no RM token, security enabled
        yarnRunner.addHistoryToken(creds);
        verify(mockHsProxy, times(0)).getDelegationToken(any(GetDelegationTokenRequest.class));
        // HS token if RM token present, security enabled
        creds.addToken(new Text("rmdt"), token);
        yarnRunner.addHistoryToken(creds);
        verify(mockHsProxy, times(1)).getDelegationToken(any(GetDelegationTokenRequest.class));
        // No additional call to get HS token if RM and HS token present
        yarnRunner.addHistoryToken(creds);
        verify(mockHsProxy, times(1)).getDelegationToken(any(GetDelegationTokenRequest.class));
    } finally {
        // Back to defaults.
        UserGroupInformation.setConfiguration(new Configuration());
    }
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration) GetDelegationTokenResponse(org.apache.hadoop.mapreduce.v2.api.protocolrecords.GetDelegationTokenResponse) InetSocketAddress(java.net.InetSocketAddress) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) MRClientProtocol(org.apache.hadoop.mapreduce.v2.api.MRClientProtocol) GetDelegationTokenRequest(org.apache.hadoop.mapreduce.v2.api.protocolrecords.GetDelegationTokenRequest) Credentials(org.apache.hadoop.security.Credentials) Test(org.junit.Test)

Example 15 with RMDelegationTokenIdentifier

use of org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier in project hadoop by apache.

the class TestRMRestart method testAppSubmissionWithOldDelegationTokenAfterRMRestart.

// This is to test submit an application to the new RM with the old delegation
// token got from previous RM.
@Test(timeout = 60000)
public void testAppSubmissionWithOldDelegationTokenAfterRMRestart() throws Exception {
    conf.setInt(YarnConfiguration.RM_AM_MAX_ATTEMPTS, 2);
    conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
    conf.set(YarnConfiguration.RM_ADDRESS, "localhost:8032");
    UserGroupInformation.setConfiguration(conf);
    MemoryRMStateStore memStore = new MemoryRMStateStore();
    memStore.init(conf);
    MockRM rm1 = new TestSecurityMockRM(conf, memStore);
    rm1.start();
    GetDelegationTokenRequest request1 = GetDelegationTokenRequest.newInstance("renewer1");
    UserGroupInformation.getCurrentUser().setAuthenticationMethod(AuthMethod.KERBEROS);
    GetDelegationTokenResponse response1 = rm1.getClientRMService().getDelegationToken(request1);
    Token<RMDelegationTokenIdentifier> token1 = ConverterUtils.convertFromYarn(response1.getRMDelegationToken(), rmAddr);
    // start new RM
    MockRM rm2 = new TestSecurityMockRM(conf, memStore);
    rm2.start();
    // submit an app with the old delegation token got from previous RM.
    Credentials ts = new Credentials();
    ts.addToken(token1.getService(), token1);
    RMApp app = rm2.submitApp(200, "name", "user", new HashMap<ApplicationAccessType, String>(), false, "default", 1, ts);
    rm2.waitForState(app.getApplicationId(), RMAppState.ACCEPTED);
}
Also used : GetDelegationTokenRequest(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest) RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp) MemoryRMStateStore(org.apache.hadoop.yarn.server.resourcemanager.recovery.MemoryRMStateStore) GetDelegationTokenResponse(org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse) ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType) RMDelegationTokenIdentifier(org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier) Credentials(org.apache.hadoop.security.Credentials) Test(org.junit.Test)

Aggregations

RMDelegationTokenIdentifier (org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier)30 Token (org.apache.hadoop.security.token.Token)15 Text (org.apache.hadoop.io.Text)13 IOException (java.io.IOException)12 Test (org.junit.Test)11 InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)8 DelegationKey (org.apache.hadoop.security.token.delegation.DelegationKey)6 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)6 Configuration (org.apache.hadoop.conf.Configuration)5 Credentials (org.apache.hadoop.security.Credentials)5 GetDelegationTokenResponse (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenResponse)5 DelegationToken (org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.DelegationToken)5 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)4 GetDelegationTokenRequest (org.apache.hadoop.yarn.api.protocolrecords.GetDelegationTokenRequest)4 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)4 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 DataInputStream (java.io.DataInputStream)3 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)3 AccessControlException (java.security.AccessControlException)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial