Example 6 with TestSecurityMockRM
use of org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM in project hadoop by apache.
the class TestDelegationTokenRenewer method testReplaceExpiringDelegationToken.
@Test(timeout = 20000)
public void testReplaceExpiringDelegationToken() throws Exception {
conf.setBoolean(YarnConfiguration.RM_PROXY_USER_PRIVILEGES_ENABLED, true);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
// create Token1:
Text userText1 = new Text("user1");
DelegationTokenIdentifier dtId1 = new DelegationTokenIdentifier(userText1, new Text("renewer1"), userText1);
// set max date to 0 to simulate an expiring token;
dtId1.setMaxDate(0);
final Token<DelegationTokenIdentifier> token1 = new Token<DelegationTokenIdentifier>(dtId1.getBytes(), "password1".getBytes(), dtId1.getKind(), new Text("service1"));
// create token2
Text userText2 = new Text("user2");
DelegationTokenIdentifier dtId2 = new DelegationTokenIdentifier(userText1, new Text("renewer2"), userText2);
final Token<DelegationTokenIdentifier> expectedToken = new Token<DelegationTokenIdentifier>(dtId2.getBytes(), "password2".getBytes(), dtId2.getKind(), new Text("service2"));
final MockRM rm = new TestSecurityMockRM(conf, null) {
@Override
protected DelegationTokenRenewer createDelegationTokenRenewer() {
return new DelegationTokenRenewer() {
@Override
protected Token<?>[] obtainSystemTokensForUser(String user, final Credentials credentials) throws IOException {
credentials.addToken(expectedToken.getService(), expectedToken);
return new Token<?>[] { expectedToken };
}
};
}
};
rm.start();
Credentials credentials = new Credentials();
credentials.addToken(userText1, token1);
RMApp app = rm.submitApp(200, "name", "user", new HashMap<ApplicationAccessType, String>(), false, "default", 1, credentials);
// wait for the initial expiring hdfs token to be removed from allTokens
GenericTestUtils.waitFor(new Supplier<Boolean>() {
public Boolean get() {
return rm.getRMContext().getDelegationTokenRenewer().getAllTokens().get(token1) == null;
}
}, 1000, 20000);
// wait for the initial expiring hdfs token to be removed from appTokens
GenericTestUtils.waitFor(new Supplier<Boolean>() {
public Boolean get() {
return !rm.getRMContext().getDelegationTokenRenewer().getDelegationTokens().contains(token1);
}
}, 1000, 20000);
// wait for the new retrieved hdfs token.
GenericTestUtils.waitFor(new Supplier<Boolean>() {
public Boolean get() {
return rm.getRMContext().getDelegationTokenRenewer().getDelegationTokens().contains(expectedToken);
}
}, 1000, 20000);
// check nm can retrieve the token
final MockNM nm1 = new MockNM("127.0.0.1:1234", 15120, rm.getResourceTrackerService());
nm1.registerNode();
NodeHeartbeatResponse response = nm1.nodeHeartbeat(true);
ByteBuffer tokenBuffer = response.getSystemCredentialsForApps().get(app.getApplicationId());
Assert.assertNotNull(tokenBuffer);
Credentials appCredentials = new Credentials();
DataInputByteBuffer buf = new DataInputByteBuffer();
tokenBuffer.rewind();
buf.reset(tokenBuffer);
appCredentials.readTokenStorageStream(buf);
Assert.assertTrue(appCredentials.getAllTokens().contains(expectedToken));
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
NodeHeartbeatResponse(org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse)
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
MockNM(org.apache.hadoop.yarn.server.resourcemanager.MockNM)
DataInputByteBuffer(org.apache.hadoop.io.DataInputByteBuffer)
Text(org.apache.hadoop.io.Text)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
MockRM(org.apache.hadoop.yarn.server.resourcemanager.MockRM)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
ByteBuffer(java.nio.ByteBuffer)
DataInputByteBuffer(org.apache.hadoop.io.DataInputByteBuffer)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
ApplicationAccessType(org.apache.hadoop.yarn.api.records.ApplicationAccessType)
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
Credentials(org.apache.hadoop.security.Credentials)
Test(org.junit.Test)
Example 7 with TestSecurityMockRM
use of org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM in project hadoop by apache.
the class TestDelegationTokenRenewer method testTokensConfExceedLimit.
// Test if app's token conf exceeds RM_DELEGATION_TOKEN_MAX_CONF_SIZE,
// app should fail
@Test
public void testTokensConfExceedLimit() throws Exception {
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
// limit 100 bytes
conf.setInt(YarnConfiguration.RM_DELEGATION_TOKEN_MAX_CONF_SIZE, 100);
MockRM rm = new TestSecurityMockRM(conf, null);
rm.start();
final MockNM nm1 = new MockNM("127.0.0.1:1234", 15120, rm.getResourceTrackerService());
nm1.registerNode();
// create a token
Text userText1 = new Text("user1");
DelegationTokenIdentifier dtId1 = new DelegationTokenIdentifier(userText1, new Text("renewer1"), userText1);
final Token<DelegationTokenIdentifier> token1 = new Token<DelegationTokenIdentifier>(dtId1.getBytes(), "password1".getBytes(), dtId1.getKind(), new Text("service1"));
Credentials credentials = new Credentials();
credentials.addToken(userText1, token1);
// create token conf for renewal, total size (512 bytes) > limit (100 bytes)
// By experiment, it's roughly 128 bytes per key-value pair.
Configuration appConf = new Configuration(false);
appConf.clear();
// 128 bytes
appConf.set("dfs.nameservices", "mycluster1,mycluster2");
//128 bytes
appConf.set("dfs.namenode.rpc-address.mycluster2.nn1", "123.0.0.1");
// 128 bytes
appConf.set("dfs.namenode.rpc-address.mycluster3.nn2", "123.0.0.2");
DataOutputBuffer dob = new DataOutputBuffer();
appConf.write(dob);
ByteBuffer tokenConf = ByteBuffer.wrap(dob.getData(), 0, dob.getLength());
try {
rm.submitApp(credentials, tokenConf);
Assert.fail();
} catch (Exception e) {
e.printStackTrace();
Assert.assertTrue(e.getCause().getMessage().contains(YarnConfiguration.RM_DELEGATION_TOKEN_MAX_CONF_SIZE));
}
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
YarnConfiguration(org.apache.hadoop.yarn.conf.YarnConfiguration)
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
MockNM(org.apache.hadoop.yarn.server.resourcemanager.MockNM)
DataOutputBuffer(org.apache.hadoop.io.DataOutputBuffer)
MockRM(org.apache.hadoop.yarn.server.resourcemanager.MockRM)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
Text(org.apache.hadoop.io.Text)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
ByteBuffer(java.nio.ByteBuffer)
DataInputByteBuffer(org.apache.hadoop.io.DataInputByteBuffer)
Credentials(org.apache.hadoop.security.Credentials)
URISyntaxException(java.net.URISyntaxException)
YarnException(org.apache.hadoop.yarn.exceptions.YarnException)
IOException(java.io.IOException)
BrokenBarrierException(java.util.concurrent.BrokenBarrierException)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
Test(org.junit.Test)
Example 8 with TestSecurityMockRM
use of org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM in project hadoop by apache.
the class TestDelegationTokenRenewer method testAppSubmissionWithPreviousToken.
// Test submitting an application with the token obtained by a previously
// submitted application.
@Test(timeout = 30000)
public void testAppSubmissionWithPreviousToken() throws Exception {
MockRM rm = new TestSecurityMockRM(conf, null);
rm.start();
final MockNM nm1 = new MockNM("127.0.0.1:1234", 15120, rm.getResourceTrackerService());
nm1.registerNode();
// create Token1:
Text userText1 = new Text("user");
DelegationTokenIdentifier dtId1 = new DelegationTokenIdentifier(userText1, new Text("renewer1"), userText1);
final Token<DelegationTokenIdentifier> token1 = new Token<DelegationTokenIdentifier>(dtId1.getBytes(), "password1".getBytes(), dtId1.getKind(), new Text("service1"));
Credentials credentials = new Credentials();
credentials.addToken(userText1, token1);
// submit app1 with a token, set cancelTokenWhenComplete to false;
Resource resource = Records.newRecord(Resource.class);
resource.setMemorySize(200);
RMApp app1 = rm.submitApp(resource, "name", "user", null, false, null, 2, credentials, null, true, false, false, null, 0, null, false, null);
MockAM am1 = MockRM.launchAndRegisterAM(app1, rm, nm1);
rm.waitForState(app1.getApplicationId(), RMAppState.RUNNING);
DelegationTokenRenewer renewer = rm.getRMContext().getDelegationTokenRenewer();
DelegationTokenToRenew dttr = renewer.getAllTokens().get(token1);
Assert.assertNotNull(dttr);
// submit app2 with the same token, set cancelTokenWhenComplete to true;
RMApp app2 = rm.submitApp(resource, "name", "user", null, false, null, 2, credentials, null, true, false, false, null, 0, null, true, null);
MockAM am2 = MockRM.launchAndRegisterAM(app2, rm, nm1);
rm.waitForState(app2.getApplicationId(), RMAppState.RUNNING);
finishAMAndWaitForComplete(app2, rm, nm1, am2, dttr);
Assert.assertTrue(rm.getRMContext().getDelegationTokenRenewer().getAllTokens().containsKey(token1));
finishAMAndWaitForComplete(app1, rm, nm1, am1, dttr);
// app2 completes, app1 is still running, check the token is not cancelled
Assert.assertFalse(Renewer.cancelled);
}
Also used :
RMApp(org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)
DelegationTokenIdentifier(org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)
MockNM(org.apache.hadoop.yarn.server.resourcemanager.MockNM)
Resource(org.apache.hadoop.yarn.api.records.Resource)
LocalResource(org.apache.hadoop.yarn.api.records.LocalResource)
MockRM(org.apache.hadoop.yarn.server.resourcemanager.MockRM)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
Text(org.apache.hadoop.io.Text)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
DelegationTokenToRenew(org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.DelegationTokenToRenew)
TestSecurityMockRM(org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)
MockAM(org.apache.hadoop.yarn.server.resourcemanager.MockAM)
Credentials(org.apache.hadoop.security.Credentials)
Test(org.junit.Test)
Aggregations
Credentials (org.apache.hadoop.security.Credentials)8
TestSecurityMockRM (org.apache.hadoop.yarn.server.resourcemanager.TestRMRestart.TestSecurityMockRM)8
Test (org.junit.Test)8
DelegationTokenIdentifier (org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier)7
Text (org.apache.hadoop.io.Text)7
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)7
Token (org.apache.hadoop.security.token.Token)7
MockNM (org.apache.hadoop.yarn.server.resourcemanager.MockNM)7
MockRM (org.apache.hadoop.yarn.server.resourcemanager.MockRM)7
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)7
ByteBuffer (java.nio.ByteBuffer)5
DataInputByteBuffer (org.apache.hadoop.io.DataInputByteBuffer)5
AtomicBoolean (java.util.concurrent.atomic.AtomicBoolean)4
DelegationTokenToRenew (org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.DelegationTokenToRenew)4
IOException (java.io.IOException)3
Configuration (org.apache.hadoop.conf.Configuration)3
YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)3
NodeHeartbeatResponse (org.apache.hadoop.yarn.server.api.protocolrecords.NodeHeartbeatResponse)3
DataOutputBuffer (org.apache.hadoop.io.DataOutputBuffer)2
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)2
