diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java index d66a97d2632..4210c54b863 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/RMAppAttemptImpl.java @@ -1205,6 +1205,8 @@ public class RMAppAttemptImpl implements RMAppAttempt, Recoverable { @Override public void transition(RMAppAttemptImpl appAttempt, RMAppAttemptEvent event) { + + appAttempt.registerClientToken(); appAttempt.launchAttempt(); } } @@ -1525,13 +1527,6 @@ public class RMAppAttemptImpl implements RMAppAttempt, Recoverable { // Register with AMLivelinessMonitor appAttempt.attemptLaunched(); - // register the ClientTokenMasterKey after it is saved in the store, - // otherwise client may hold an invalid ClientToken after RM restarts. - if (UserGroupInformation.isSecurityEnabled()) { - appAttempt.rmContext.getClientToAMTokenSecretManager() - .registerApplication(appAttempt.getAppAttemptId(), - appAttempt.getClientTokenMasterKey()); - } } } @@ -1598,11 +1593,20 @@ public class RMAppAttemptImpl implements RMAppAttempt, Recoverable { appAttempt.amrmToken = appAttempt.rmContext.getAMRMTokenSecretManager().createAndGetAMRMToken( appAttempt.applicationAttemptId); - + appAttempt.registerClientToken(); super.transition(appAttempt, event); } } + private void registerClientToken() { + // register the ClientTokenMasterKey after it is saved in the store, + // otherwise client may hold an invalid ClientToken after RM restarts. + if (UserGroupInformation.isSecurityEnabled()) { + rmContext.getClientToAMTokenSecretManager() + .registerApplication(getAppAttemptId(), getClientTokenMasterKey()); + } + } + private static final class LaunchFailedTransition extends BaseFinalTransition { public LaunchFailedTransition() { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java index 9a4b6dc7f72..7702ab194b2 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/rmapp/attempt/TestRMAppAttemptTransitions.java @@ -663,21 +663,29 @@ public class TestRMAppAttemptTransitions { assertEquals(RMAppAttemptState.ALLOCATED_SAVING, applicationAttempt.getAppAttemptState()); + + if (UserGroupInformation.isSecurityEnabled()) { + // Before SAVED state, can't create ClientToken as at this time + // ClientTokenMasterKey has not been registered in the SecretManager + assertNull(applicationAttempt.createClientToken("some client")); + } + applicationAttempt.handle( new RMAppAttemptEvent(applicationAttempt.getAppAttemptId(), RMAppAttemptEventType.ATTEMPT_NEW_SAVED)); - + + if (UserGroupInformation.isSecurityEnabled()) { + // Before SAVED state, can't create ClientToken as at this time + // ClientTokenMasterKey has not been registered in the SecretManager + assertNotNull(applicationAttempt.createClientToken("some client")); + } + testAppAttemptAllocatedState(container); return container; } private void launchApplicationAttempt(Container container) { - if (UserGroupInformation.isSecurityEnabled()) { - // Before LAUNCHED state, can't create ClientToken as at this time - // ClientTokenMasterKey has not been registered in the SecretManager - assertNull(applicationAttempt.createClientToken("some client")); - } applicationAttempt.handle( new RMAppAttemptEvent(applicationAttempt.getAppAttemptId(), RMAppAttemptEventType.LAUNCHED)); @@ -1477,8 +1485,6 @@ public class TestRMAppAttemptTransitions { Token token = applicationAttempt.createClientToken(null); Assert.assertNull(token); - token = applicationAttempt.createClientToken("clientuser"); - Assert.assertNull(token); launchApplicationAttempt(amContainer); // after attempt is launched , can get ClientToken @@ -1505,22 +1511,15 @@ public class TestRMAppAttemptTransitions { public void testApplicationAttemptMasterKey() throws Exception { Container amContainer = allocateApplicationAttempt(); ApplicationAttemptId appid = applicationAttempt.getAppAttemptId(); - boolean isMasterKeyExisted = false; + boolean isMasterKeyExisted = clientToAMTokenManager.hasMasterKey(appid); - // before attempt is launched, can not get MasterKey - isMasterKeyExisted = clientToAMTokenManager.hasMasterKey(appid); - Assert.assertFalse(isMasterKeyExisted); - - launchApplicationAttempt(amContainer); - // after attempt is launched and in secure mode, can get MasterKey - isMasterKeyExisted = clientToAMTokenManager.hasMasterKey(appid); if (isSecurityEnabled) { Assert.assertTrue(isMasterKeyExisted); Assert.assertNotNull(clientToAMTokenManager.getMasterKey(appid)); } else { Assert.assertFalse(isMasterKeyExisted); } - + launchApplicationAttempt(amContainer); applicationAttempt.handle(new RMAppAttemptEvent(applicationAttempt .getAppAttemptId(), RMAppAttemptEventType.KILL)); assertEquals(YarnApplicationAttemptState.LAUNCHED,