YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline delegation tokens. Contributed by Zhijie Shen.

This commit is contained in:
Vinod Kumar Vavilapalli 2014-11-03 12:36:44 -08:00
parent 6157ace547
commit 71fbb474f5
4 changed files with 57 additions and 7 deletions

View File

@ -842,6 +842,9 @@ Release 2.6.0 - UNRELEASED
YARN-2730. DefaultContainerExecutor runs only one localizer at a time YARN-2730. DefaultContainerExecutor runs only one localizer at a time
(Siqi Li via jlowe) (Siqi Li via jlowe)
YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline
delegation tokens. (Zhijie Shen via vinodkv)
Release 2.5.1 - 2014-09-05 Release 2.5.1 - 2014-09-05
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -36,7 +36,7 @@ import org.apache.hadoop.io.DataOutputBuffer;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.RPC; import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.HadoopKerberosName; import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.yarn.api.ApplicationClientProtocol; import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
@ -51,7 +51,6 @@ import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterMetricsRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetClusterMetricsRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterMetricsResponse; import org.apache.hadoop.yarn.api.protocolrecords.GetClusterMetricsResponse;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodeLabelsRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodeLabelsRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodeLabelsResponse;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodesRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodesRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodesResponse; import org.apache.hadoop.yarn.api.protocolrecords.GetClusterNodesResponse;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerReportRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetContainerReportRequest;
@ -124,6 +123,8 @@ public class YarnClientImpl extends YarnClient {
protected TimelineClient timelineClient; protected TimelineClient timelineClient;
@VisibleForTesting @VisibleForTesting
Text timelineService; Text timelineService;
@VisibleForTesting
String timelineDTRenewer;
protected boolean timelineServiceEnabled; protected boolean timelineServiceEnabled;
private static final String ROOT = "root"; private static final String ROOT = "root";
@ -161,6 +162,7 @@ public class YarnClientImpl extends YarnClient {
timelineServiceEnabled = true; timelineServiceEnabled = true;
timelineClient = TimelineClient.createTimelineClient(); timelineClient = TimelineClient.createTimelineClient();
timelineClient.init(conf); timelineClient.init(conf);
timelineDTRenewer = getTimelineDelegationTokenRenewer(conf);
timelineService = TimelineUtils.buildTimelineTokenService(conf); timelineService = TimelineUtils.buildTimelineTokenService(conf);
} }
super.serviceInit(conf); super.serviceInit(conf);
@ -320,14 +322,22 @@ public class YarnClientImpl extends YarnClient {
@VisibleForTesting @VisibleForTesting
org.apache.hadoop.security.token.Token<TimelineDelegationTokenIdentifier> org.apache.hadoop.security.token.Token<TimelineDelegationTokenIdentifier>
getTimelineDelegationToken() throws IOException, YarnException { getTimelineDelegationToken() throws IOException, YarnException {
return timelineClient.getDelegationToken(timelineDTRenewer);
}
private static String getTimelineDelegationTokenRenewer(Configuration conf)
throws IOException, YarnException {
// Parse the RM daemon user if it exists in the config // Parse the RM daemon user if it exists in the config
String rmPrincipal = getConfig().get(YarnConfiguration.RM_PRINCIPAL); String rmPrincipal = conf.get(YarnConfiguration.RM_PRINCIPAL);
String renewer = null; String renewer = null;
if (rmPrincipal != null && rmPrincipal.length() > 0) { if (rmPrincipal != null && rmPrincipal.length() > 0) {
HadoopKerberosName renewerKrbName = new HadoopKerberosName(rmPrincipal); String rmHost = conf.getSocketAddr(
renewer = renewerKrbName.getShortName(); YarnConfiguration.RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_ADDRESS,
YarnConfiguration.DEFAULT_RM_PORT).getHostName();
renewer = SecurityUtil.getServerPrincipal(rmPrincipal, rmHost);
} }
return timelineClient.getDelegationToken(renewer); return renewer;
} }
@Private @Private

View File

@ -852,7 +852,25 @@ public class TestYarnClient {
client.stop(); client.stop();
} }
} }
@Test
public void testParseTimelineDelegationTokenRenewer() throws Exception {
// Client side
YarnClientImpl client = (YarnClientImpl) YarnClient.createYarnClient();
Configuration conf = new YarnConfiguration();
conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
conf.set(YarnConfiguration.RM_PRINCIPAL, "rm/_HOST@EXAMPLE.COM");
conf.set(
YarnConfiguration.RM_ADDRESS, "localhost:8188");
try {
client.init(conf);
client.start();
Assert.assertEquals("rm/localhost@EXAMPLE.COM", client.timelineDTRenewer);
} finally {
client.stop();
}
}
@Test @Test
public void testReservationAPIs() { public void testReservationAPIs() {
// initialize // initialize

View File

@ -19,14 +19,18 @@ package org.apache.hadoop.yarn.security;
import java.io.IOException; import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.DataInputBuffer; import org.apache.hadoop.io.DataInputBuffer;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.api.records.Priority; import org.apache.hadoop.yarn.api.records.Priority;
import org.apache.hadoop.yarn.api.records.Resource; import org.apache.hadoop.yarn.api.records.Resource;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier; import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
@ -299,4 +303,19 @@ public class TestYARNTokenIdentifier {
anotherToken.getMasterKeyId(), masterKeyId); anotherToken.getMasterKeyId(), masterKeyId);
} }
@Test
public void testParseTimelineDelegationTokenIdentifierRenewer() throws IOException {
// Server side when generation a timeline DT
Configuration conf = new YarnConfiguration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL,
"RULE:[2:$1@$0]([nr]m@.*EXAMPLE.COM)s/.*/yarn/");
HadoopKerberosName.setConfiguration(conf);
Text owner = new Text("owner");
Text renewer = new Text("rm/localhost@EXAMPLE.COM");
Text realUser = new Text("realUser");
TimelineDelegationTokenIdentifier token =
new TimelineDelegationTokenIdentifier(owner, renewer, realUser);
Assert.assertEquals(new Text("yarn"), token.getRenewer());
}
} }