YARN-134. Fixes ClientToAMSecretManager creates keys without checking for validity of the appID. (Contributed by Vinod Kumar Vavilapalli)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1395841 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
ad9bcb9e5a
commit
c074cfd6f0
|
@ -82,8 +82,7 @@ import org.apache.hadoop.yarn.factories.RecordFactory;
|
||||||
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
|
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
|
||||||
import org.apache.hadoop.yarn.ipc.RPCUtil;
|
import org.apache.hadoop.yarn.ipc.RPCUtil;
|
||||||
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
|
|
||||||
import org.apache.hadoop.yarn.service.AbstractService;
|
import org.apache.hadoop.yarn.service.AbstractService;
|
||||||
import org.apache.hadoop.yarn.webapp.WebApp;
|
import org.apache.hadoop.yarn.webapp.WebApp;
|
||||||
import org.apache.hadoop.yarn.webapp.WebApps;
|
import org.apache.hadoop.yarn.webapp.WebApps;
|
||||||
|
@ -115,16 +114,15 @@ public class MRClientService extends AbstractService
|
||||||
YarnRPC rpc = YarnRPC.create(conf);
|
YarnRPC rpc = YarnRPC.create(conf);
|
||||||
InetSocketAddress address = new InetSocketAddress(0);
|
InetSocketAddress address = new InetSocketAddress(0);
|
||||||
|
|
||||||
ClientToAMSecretManager secretManager = null;
|
ClientToAMTokenSecretManager secretManager = null;
|
||||||
if (UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
secretManager = new ClientToAMSecretManager();
|
|
||||||
String secretKeyStr =
|
String secretKeyStr =
|
||||||
System
|
System
|
||||||
.getenv(ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME);
|
.getenv(ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME);
|
||||||
byte[] bytes = Base64.decodeBase64(secretKeyStr);
|
byte[] bytes = Base64.decodeBase64(secretKeyStr);
|
||||||
ClientTokenIdentifier identifier = new ClientTokenIdentifier(
|
secretManager =
|
||||||
this.appContext.getApplicationID());
|
new ClientToAMTokenSecretManager(this.appContext.getApplicationID(),
|
||||||
secretManager.setMasterKey(identifier, bytes);
|
bytes);
|
||||||
}
|
}
|
||||||
server =
|
server =
|
||||||
rpc.getServer(MRClientProtocol.class, protocolHandler, address,
|
rpc.getServer(MRClientProtocol.class, protocolHandler, address,
|
||||||
|
|
|
@ -61,6 +61,9 @@ Release 2.0.3-alpha - Unreleased
|
||||||
|
|
||||||
YARN-102. Move the apache header to the top of the file in MemStore.java.
|
YARN-102. Move the apache header to the top of the file in MemStore.java.
|
||||||
(Devaraj K via sseth)
|
(Devaraj K via sseth)
|
||||||
|
|
||||||
|
YARN-134. ClientToAMSecretManager creates keys without checking for
|
||||||
|
validity of the appID. (Vinod Kumar Vavilapalli via sseth)
|
||||||
|
|
||||||
Release 2.0.2-alpha - 2012-09-07
|
Release 2.0.2-alpha - 2012-09-07
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ public interface ApplicationConstants {
|
||||||
|
|
||||||
// TODO: They say tokens via env isn't good.
|
// TODO: They say tokens via env isn't good.
|
||||||
public static final String APPLICATION_CLIENT_SECRET_ENV_NAME =
|
public static final String APPLICATION_CLIENT_SECRET_ENV_NAME =
|
||||||
"AppClientTokenEnv";
|
"AppClientSecretEnv";
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The environment variable for CONTAINER_ID. Set in AppMaster environment
|
* The environment variable for CONTAINER_ID. Set in AppMaster environment
|
||||||
|
|
|
@ -0,0 +1,53 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.security.client;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.apache.hadoop.security.token.SecretManager;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
|
|
||||||
|
public abstract class BaseClientToAMTokenSecretManager extends
|
||||||
|
SecretManager<ClientTokenIdentifier> {
|
||||||
|
|
||||||
|
public abstract SecretKey getMasterKey(ApplicationId applicationId);
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public synchronized byte[] createPassword(
|
||||||
|
ClientTokenIdentifier identifier) {
|
||||||
|
return createPassword(identifier.getBytes(),
|
||||||
|
getMasterKey(identifier.getApplicationID()));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public byte[] retrievePassword(ClientTokenIdentifier identifier)
|
||||||
|
throws SecretManager.InvalidToken {
|
||||||
|
SecretKey masterKey = getMasterKey(identifier.getApplicationID());
|
||||||
|
if (masterKey == null) {
|
||||||
|
throw new SecretManager.InvalidToken("Illegal client-token!");
|
||||||
|
}
|
||||||
|
return createPassword(identifier.getBytes(), masterKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ClientTokenIdentifier createIdentifier() {
|
||||||
|
return new ClientTokenIdentifier();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -1,103 +0,0 @@
|
||||||
/**
|
|
||||||
* Licensed to the Apache Software Foundation (ASF) under one
|
|
||||||
* or more contributor license agreements. See the NOTICE file
|
|
||||||
* distributed with this work for additional information
|
|
||||||
* regarding copyright ownership. The ASF licenses this file
|
|
||||||
* to you under the Apache License, Version 2.0 (the
|
|
||||||
* "License"); you may not use this file except in compliance
|
|
||||||
* with the License. You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.apache.hadoop.yarn.security.client;
|
|
||||||
|
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
|
||||||
|
|
||||||
import org.apache.commons.codec.binary.Base64;
|
|
||||||
import org.apache.commons.logging.Log;
|
|
||||||
import org.apache.commons.logging.LogFactory;
|
|
||||||
import org.apache.hadoop.io.Text;
|
|
||||||
import org.apache.hadoop.security.token.SecretManager;
|
|
||||||
|
|
||||||
public class ClientToAMSecretManager extends
|
|
||||||
SecretManager<ClientTokenIdentifier> {
|
|
||||||
|
|
||||||
private static Log LOG = LogFactory.getLog(ClientToAMSecretManager.class);
|
|
||||||
|
|
||||||
// Per application masterkeys for managing client-tokens
|
|
||||||
private Map<Text, SecretKey> masterKeys = new HashMap<Text, SecretKey>();
|
|
||||||
|
|
||||||
public void setMasterKey(ClientTokenIdentifier identifier, byte[] key) {
|
|
||||||
SecretKey sk = SecretManager.createSecretKey(key);
|
|
||||||
Text applicationID = identifier.getApplicationID();
|
|
||||||
this.masterKeys.put(applicationID, sk);
|
|
||||||
if (LOG.isDebugEnabled()) {
|
|
||||||
LOG.debug("Setting master key for "
|
|
||||||
+ applicationID
|
|
||||||
+ " as "
|
|
||||||
+ new String(Base64.encodeBase64(this.masterKeys.get(applicationID)
|
|
||||||
.getEncoded())));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private void addMasterKey(ClientTokenIdentifier identifier) {
|
|
||||||
Text applicationID = identifier.getApplicationID();
|
|
||||||
this.masterKeys.put(applicationID, generateSecret());
|
|
||||||
if (LOG.isDebugEnabled()) {
|
|
||||||
LOG.debug("Creating master key for "
|
|
||||||
+ applicationID
|
|
||||||
+ " as "
|
|
||||||
+ new String(Base64.encodeBase64(this.masterKeys.get(applicationID)
|
|
||||||
.getEncoded())));}
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO: Handle the masterKey invalidation.
|
|
||||||
public synchronized SecretKey getMasterKey(
|
|
||||||
ClientTokenIdentifier identifier) {
|
|
||||||
Text applicationID = identifier.getApplicationID();
|
|
||||||
if (!this.masterKeys.containsKey(applicationID)) {
|
|
||||||
addMasterKey(identifier);
|
|
||||||
}
|
|
||||||
return this.masterKeys.get(applicationID);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public synchronized byte[] createPassword(
|
|
||||||
ClientTokenIdentifier identifier) {
|
|
||||||
byte[] password =
|
|
||||||
createPassword(identifier.getBytes(), getMasterKey(identifier));
|
|
||||||
if (LOG.isDebugEnabled()) {
|
|
||||||
LOG.debug("Password created is "
|
|
||||||
+ new String(Base64.encodeBase64(password)));
|
|
||||||
}
|
|
||||||
return password;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public byte[] retrievePassword(ClientTokenIdentifier identifier)
|
|
||||||
throws SecretManager.InvalidToken {
|
|
||||||
byte[] password =
|
|
||||||
createPassword(identifier.getBytes(), getMasterKey(identifier));
|
|
||||||
if (LOG.isDebugEnabled()) {
|
|
||||||
LOG.debug("Password retrieved is "
|
|
||||||
+ new String(Base64.encodeBase64(password)));
|
|
||||||
}
|
|
||||||
return password;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public ClientTokenIdentifier createIdentifier() {
|
|
||||||
return new ClientTokenIdentifier();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.security.client;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.apache.hadoop.security.token.SecretManager;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
|
|
||||||
|
public class ClientToAMTokenSecretManager extends
|
||||||
|
BaseClientToAMTokenSecretManager {
|
||||||
|
|
||||||
|
// Only one client-token and one master-key for AM
|
||||||
|
private final SecretKey masterKey;
|
||||||
|
|
||||||
|
public ClientToAMTokenSecretManager(ApplicationId applicationID,
|
||||||
|
byte[] secretKeyBytes) {
|
||||||
|
super();
|
||||||
|
this.masterKey = SecretManager.createSecretKey(secretKeyBytes);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public SecretKey getMasterKey(ApplicationId applicationID) {
|
||||||
|
// Only one client-token and one master-key for AM, just return that.
|
||||||
|
return this.masterKey;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -28,36 +28,39 @@ import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.apache.hadoop.security.token.Token;
|
import org.apache.hadoop.security.token.Token;
|
||||||
import org.apache.hadoop.security.token.TokenIdentifier;
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
|
import org.apache.hadoop.yarn.util.BuilderUtils;
|
||||||
|
|
||||||
public class ClientTokenIdentifier extends TokenIdentifier {
|
public class ClientTokenIdentifier extends TokenIdentifier {
|
||||||
|
|
||||||
public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN");
|
public static final Text KIND_NAME = new Text("YARN_CLIENT_TOKEN");
|
||||||
|
|
||||||
private Text appId;
|
private ApplicationId applicationId;
|
||||||
|
|
||||||
// TODO: Add more information in the tokenID such that it is not
|
// TODO: Add more information in the tokenID such that it is not
|
||||||
// transferrable, more secure etc.
|
// transferrable, more secure etc.
|
||||||
|
|
||||||
public ClientTokenIdentifier(ApplicationId id) {
|
|
||||||
this.appId = new Text(Integer.toString(id.getId()));
|
|
||||||
}
|
|
||||||
|
|
||||||
public ClientTokenIdentifier() {
|
public ClientTokenIdentifier() {
|
||||||
this.appId = new Text();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public Text getApplicationID() {
|
public ClientTokenIdentifier(ApplicationId id) {
|
||||||
return appId;
|
this();
|
||||||
|
this.applicationId = id;
|
||||||
|
}
|
||||||
|
|
||||||
|
public ApplicationId getApplicationID() {
|
||||||
|
return this.applicationId;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void write(DataOutput out) throws IOException {
|
public void write(DataOutput out) throws IOException {
|
||||||
appId.write(out);
|
out.writeLong(this.applicationId.getClusterTimestamp());
|
||||||
|
out.writeInt(this.applicationId.getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void readFields(DataInput in) throws IOException {
|
public void readFields(DataInput in) throws IOException {
|
||||||
appId.readFields(in);
|
this.applicationId =
|
||||||
|
BuilderUtils.newApplicationId(in.readLong(), in.readInt());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -67,10 +70,10 @@ public class ClientTokenIdentifier extends TokenIdentifier {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public UserGroupInformation getUser() {
|
public UserGroupInformation getUser() {
|
||||||
if (appId == null || "".equals(appId.toString())) {
|
if (this.applicationId == null) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
return UserGroupInformation.createRemoteUser(appId.toString());
|
return UserGroupInformation.createRemoteUser(this.applicationId.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
@InterfaceAudience.Private
|
@InterfaceAudience.Private
|
||||||
|
|
|
@ -34,7 +34,6 @@ import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
|
||||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
import org.apache.hadoop.yarn.event.EventHandler;
|
import org.apache.hadoop.yarn.event.EventHandler;
|
||||||
import org.apache.hadoop.yarn.ipc.RPCUtil;
|
import org.apache.hadoop.yarn.ipc.RPCUtil;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
|
||||||
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
|
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
|
import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger.AuditConstants;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.recovery.ApplicationsStore.ApplicationStore;
|
import org.apache.hadoop.yarn.server.resourcemanager.recovery.ApplicationsStore.ApplicationStore;
|
||||||
|
@ -45,6 +44,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppRejectedEvent;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppRejectedEvent;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
|
||||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -58,14 +58,14 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent> {
|
||||||
private LinkedList<ApplicationId> completedApps = new LinkedList<ApplicationId>();
|
private LinkedList<ApplicationId> completedApps = new LinkedList<ApplicationId>();
|
||||||
|
|
||||||
private final RMContext rmContext;
|
private final RMContext rmContext;
|
||||||
private final ClientToAMSecretManager clientToAMSecretManager;
|
private final ClientToAMTokenSecretManagerInRM clientToAMSecretManager;
|
||||||
private final ApplicationMasterService masterService;
|
private final ApplicationMasterService masterService;
|
||||||
private final YarnScheduler scheduler;
|
private final YarnScheduler scheduler;
|
||||||
private final ApplicationACLsManager applicationACLsManager;
|
private final ApplicationACLsManager applicationACLsManager;
|
||||||
private Configuration conf;
|
private Configuration conf;
|
||||||
|
|
||||||
public RMAppManager(RMContext context,
|
public RMAppManager(RMContext context,
|
||||||
ClientToAMSecretManager clientToAMSecretManager,
|
ClientToAMTokenSecretManagerInRM clientToAMSecretManager,
|
||||||
YarnScheduler scheduler, ApplicationMasterService masterService,
|
YarnScheduler scheduler, ApplicationMasterService masterService,
|
||||||
ApplicationACLsManager applicationACLsManager, Configuration conf) {
|
ApplicationACLsManager applicationACLsManager, Configuration conf) {
|
||||||
this.rmContext = context;
|
this.rmContext = context;
|
||||||
|
@ -230,6 +230,8 @@ public class RMAppManager implements EventHandler<RMAppManagerEvent> {
|
||||||
ApplicationId applicationId = submissionContext.getApplicationId();
|
ApplicationId applicationId = submissionContext.getApplicationId();
|
||||||
RMApp application = null;
|
RMApp application = null;
|
||||||
try {
|
try {
|
||||||
|
// TODO: This needs to move to per-AppAttempt
|
||||||
|
this.clientToAMSecretManager.registerApplication(applicationId);
|
||||||
String clientTokenStr = null;
|
String clientTokenStr = null;
|
||||||
if (UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
Token<ClientTokenIdentifier> clientToken = new
|
Token<ClientTokenIdentifier> clientToken = new
|
||||||
|
|
|
@ -42,7 +42,6 @@ import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
import org.apache.hadoop.yarn.event.AsyncDispatcher;
|
import org.apache.hadoop.yarn.event.AsyncDispatcher;
|
||||||
import org.apache.hadoop.yarn.event.Dispatcher;
|
import org.apache.hadoop.yarn.event.Dispatcher;
|
||||||
import org.apache.hadoop.yarn.event.EventHandler;
|
import org.apache.hadoop.yarn.event.EventHandler;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
|
||||||
import org.apache.hadoop.yarn.server.RMDelegationTokenSecretManager;
|
import org.apache.hadoop.yarn.server.RMDelegationTokenSecretManager;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEventType;
|
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEventType;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.ApplicationMasterLauncher;
|
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.ApplicationMasterLauncher;
|
||||||
|
@ -66,6 +65,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEv
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEventType;
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.event.SchedulerEventType;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.security.ApplicationTokenSecretManager;
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ApplicationTokenSecretManager;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer;
|
import org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
|
import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp;
|
import org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebApp;
|
||||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||||
|
@ -96,8 +96,8 @@ public class ResourceManager extends CompositeService implements Recoverable {
|
||||||
private static final Log LOG = LogFactory.getLog(ResourceManager.class);
|
private static final Log LOG = LogFactory.getLog(ResourceManager.class);
|
||||||
public static final long clusterTimeStamp = System.currentTimeMillis();
|
public static final long clusterTimeStamp = System.currentTimeMillis();
|
||||||
|
|
||||||
protected ClientToAMSecretManager clientToAMSecretManager =
|
protected ClientToAMTokenSecretManagerInRM clientToAMSecretManager =
|
||||||
new ClientToAMSecretManager();
|
new ClientToAMTokenSecretManagerInRM();
|
||||||
|
|
||||||
protected RMContainerTokenSecretManager containerTokenSecretManager;
|
protected RMContainerTokenSecretManager containerTokenSecretManager;
|
||||||
|
|
||||||
|
|
|
@ -42,6 +42,7 @@ import org.apache.hadoop.yarn.api.ApplicationConstants;
|
||||||
import org.apache.hadoop.yarn.api.ContainerManager;
|
import org.apache.hadoop.yarn.api.ContainerManager;
|
||||||
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
|
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
|
||||||
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerRequest;
|
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerRequest;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
|
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
|
||||||
import org.apache.hadoop.yarn.api.records.Container;
|
import org.apache.hadoop.yarn.api.records.Container;
|
||||||
import org.apache.hadoop.yarn.api.records.ContainerId;
|
import org.apache.hadoop.yarn.api.records.ContainerId;
|
||||||
|
@ -54,13 +55,12 @@ import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
|
||||||
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
||||||
import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier;
|
import org.apache.hadoop.yarn.security.ApplicationTokenIdentifier;
|
||||||
import org.apache.hadoop.yarn.security.ContainerTokenIdentifier;
|
import org.apache.hadoop.yarn.security.ContainerTokenIdentifier;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
|
||||||
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
|
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEvent;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptEventType;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptLaunchFailedEvent;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
|
||||||
import org.apache.hadoop.yarn.util.ProtoUtils;
|
import org.apache.hadoop.yarn.util.ProtoUtils;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -76,7 +76,7 @@ public class AMLauncher implements Runnable {
|
||||||
private final Configuration conf;
|
private final Configuration conf;
|
||||||
private final RecordFactory recordFactory =
|
private final RecordFactory recordFactory =
|
||||||
RecordFactoryProvider.getRecordFactory(null);
|
RecordFactoryProvider.getRecordFactory(null);
|
||||||
private final ClientToAMSecretManager clientToAMSecretManager;
|
private final ClientToAMTokenSecretManagerInRM clientToAMSecretManager;
|
||||||
private final AMLauncherEventType eventType;
|
private final AMLauncherEventType eventType;
|
||||||
private final RMContext rmContext;
|
private final RMContext rmContext;
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ public class AMLauncher implements Runnable {
|
||||||
|
|
||||||
public AMLauncher(RMContext rmContext, RMAppAttempt application,
|
public AMLauncher(RMContext rmContext, RMAppAttempt application,
|
||||||
AMLauncherEventType eventType,
|
AMLauncherEventType eventType,
|
||||||
ClientToAMSecretManager clientToAMSecretManager, Configuration conf) {
|
ClientToAMTokenSecretManagerInRM clientToAMSecretManager, Configuration conf) {
|
||||||
this.application = application;
|
this.application = application;
|
||||||
this.conf = conf;
|
this.conf = conf;
|
||||||
this.clientToAMSecretManager = clientToAMSecretManager;
|
this.clientToAMSecretManager = clientToAMSecretManager;
|
||||||
|
@ -194,10 +194,12 @@ public class AMLauncher implements Runnable {
|
||||||
String parts[] =
|
String parts[] =
|
||||||
application.getMasterContainer().getNodeHttpAddress().split(":");
|
application.getMasterContainer().getNodeHttpAddress().split(":");
|
||||||
environment.put(ApplicationConstants.NM_HTTP_PORT_ENV, parts[1]);
|
environment.put(ApplicationConstants.NM_HTTP_PORT_ENV, parts[1]);
|
||||||
|
ApplicationId applicationId =
|
||||||
|
application.getAppAttemptId().getApplicationId();
|
||||||
environment.put(
|
environment.put(
|
||||||
ApplicationConstants.APP_SUBMIT_TIME_ENV,
|
ApplicationConstants.APP_SUBMIT_TIME_ENV,
|
||||||
String.valueOf(rmContext.getRMApps()
|
String.valueOf(rmContext.getRMApps()
|
||||||
.get(application.getAppAttemptId().getApplicationId())
|
.get(applicationId)
|
||||||
.getSubmitTime()));
|
.getSubmitTime()));
|
||||||
|
|
||||||
if (UserGroupInformation.isSecurityEnabled()) {
|
if (UserGroupInformation.isSecurityEnabled()) {
|
||||||
|
@ -237,10 +239,8 @@ public class AMLauncher implements Runnable {
|
||||||
container.setContainerTokens(
|
container.setContainerTokens(
|
||||||
ByteBuffer.wrap(dob.getData(), 0, dob.getLength()));
|
ByteBuffer.wrap(dob.getData(), 0, dob.getLength()));
|
||||||
|
|
||||||
ClientTokenIdentifier identifier = new ClientTokenIdentifier(
|
|
||||||
application.getAppAttemptId().getApplicationId());
|
|
||||||
SecretKey clientSecretKey =
|
SecretKey clientSecretKey =
|
||||||
this.clientToAMSecretManager.getMasterKey(identifier);
|
this.clientToAMSecretManager.getMasterKey(applicationId);
|
||||||
String encoded =
|
String encoded =
|
||||||
Base64.encodeBase64URLSafeString(clientSecretKey.getEncoded());
|
Base64.encodeBase64URLSafeString(clientSecretKey.getEncoded());
|
||||||
environment.put(
|
environment.put(
|
||||||
|
|
|
@ -25,9 +25,10 @@ import java.util.concurrent.TimeUnit;
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.yarn.event.EventHandler;
|
import org.apache.hadoop.yarn.event.EventHandler;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
import org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
|
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
|
||||||
import org.apache.hadoop.yarn.service.AbstractService;
|
import org.apache.hadoop.yarn.service.AbstractService;
|
||||||
|
|
||||||
|
|
||||||
|
@ -41,11 +42,11 @@ public class ApplicationMasterLauncher extends AbstractService implements
|
||||||
private final BlockingQueue<Runnable> masterEvents
|
private final BlockingQueue<Runnable> masterEvents
|
||||||
= new LinkedBlockingQueue<Runnable>();
|
= new LinkedBlockingQueue<Runnable>();
|
||||||
|
|
||||||
private ClientToAMSecretManager clientToAMSecretManager;
|
private ClientToAMTokenSecretManagerInRM clientToAMSecretManager;
|
||||||
protected final RMContext context;
|
protected final RMContext context;
|
||||||
|
|
||||||
public ApplicationMasterLauncher(
|
public ApplicationMasterLauncher(
|
||||||
ClientToAMSecretManager clientToAMSecretManager, RMContext context) {
|
ClientToAMTokenSecretManagerInRM clientToAMSecretManager, RMContext context) {
|
||||||
super(ApplicationMasterLauncher.class.getName());
|
super(ApplicationMasterLauncher.class.getName());
|
||||||
this.context = context;
|
this.context = context;
|
||||||
this.launcherPool = new ThreadPoolExecutor(10, 10, 1,
|
this.launcherPool = new ThreadPoolExecutor(10, 10, 1,
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.server.resourcemanager.security;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
|
import org.apache.hadoop.yarn.security.client.BaseClientToAMTokenSecretManager;
|
||||||
|
|
||||||
|
public class ClientToAMTokenSecretManagerInRM extends
|
||||||
|
BaseClientToAMTokenSecretManager {
|
||||||
|
|
||||||
|
// Per application master-keys for managing client-tokens
|
||||||
|
private Map<ApplicationId, SecretKey> masterKeys =
|
||||||
|
new HashMap<ApplicationId, SecretKey>();
|
||||||
|
|
||||||
|
public synchronized void registerApplication(ApplicationId applicationID) {
|
||||||
|
this.masterKeys.put(applicationID, generateSecret());
|
||||||
|
}
|
||||||
|
|
||||||
|
public synchronized void unRegisterApplication(ApplicationId applicationID) {
|
||||||
|
this.masterKeys.remove(applicationID);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public synchronized SecretKey getMasterKey(ApplicationId applicationID) {
|
||||||
|
return this.masterKeys.get(applicationID);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,61 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.server.resourcemanager;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.yarn.api.ContainerManager;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ContainerId;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEventType;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.ApplicationMasterLauncher;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
|
|
||||||
|
public class MockRMWithCustomAMLauncher extends MockRM {
|
||||||
|
|
||||||
|
private final ContainerManager containerManager;
|
||||||
|
|
||||||
|
public MockRMWithCustomAMLauncher(ContainerManager containerManager) {
|
||||||
|
this(new Configuration(), containerManager);
|
||||||
|
}
|
||||||
|
|
||||||
|
public MockRMWithCustomAMLauncher(Configuration conf,
|
||||||
|
ContainerManager containerManager) {
|
||||||
|
super(conf);
|
||||||
|
this.containerManager = containerManager;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected ApplicationMasterLauncher createAMLauncher() {
|
||||||
|
return new ApplicationMasterLauncher(super.clientToAMSecretManager,
|
||||||
|
getRMContext()) {
|
||||||
|
@Override
|
||||||
|
protected Runnable createRunnableLauncher(RMAppAttempt application,
|
||||||
|
AMLauncherEventType event) {
|
||||||
|
return new AMLauncher(context, application, event,
|
||||||
|
clientToAMSecretManager, getConfig()) {
|
||||||
|
@Override
|
||||||
|
protected ContainerManager getContainerMgrProxy(
|
||||||
|
ContainerId containerId) {
|
||||||
|
return containerManager;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
|
@ -47,7 +47,6 @@ import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
|
||||||
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
import org.apache.hadoop.yarn.conf.YarnConfiguration;
|
||||||
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
|
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
|
||||||
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
import org.apache.hadoop.yarn.ipc.YarnRPC;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.TestApplicationMasterLauncher.MockRMWithCustomAMLauncher;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
|
||||||
|
|
|
@ -37,7 +37,6 @@ import org.apache.hadoop.yarn.event.Dispatcher;
|
||||||
import org.apache.hadoop.yarn.event.EventHandler;
|
import org.apache.hadoop.yarn.event.EventHandler;
|
||||||
import org.apache.hadoop.yarn.factories.RecordFactory;
|
import org.apache.hadoop.yarn.factories.RecordFactory;
|
||||||
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
|
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
|
||||||
import org.apache.hadoop.yarn.security.client.ClientToAMSecretManager;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.recovery.MemStore;
|
import org.apache.hadoop.yarn.server.resourcemanager.recovery.MemStore;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.MockRMApp;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.MockRMApp;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
||||||
|
@ -49,6 +48,7 @@ import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.ContainerAlloca
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler;
|
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.CapacityScheduler;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.security.ClientToAMTokenSecretManagerInRM;
|
||||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||||
import org.apache.hadoop.yarn.service.Service;
|
import org.apache.hadoop.yarn.service.Service;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
@ -140,7 +140,7 @@ public class TestAppManager{
|
||||||
}
|
}
|
||||||
|
|
||||||
public TestRMAppManager(RMContext context,
|
public TestRMAppManager(RMContext context,
|
||||||
ClientToAMSecretManager clientToAMSecretManager,
|
ClientToAMTokenSecretManagerInRM clientToAMSecretManager,
|
||||||
YarnScheduler scheduler, ApplicationMasterService masterService,
|
YarnScheduler scheduler, ApplicationMasterService masterService,
|
||||||
ApplicationACLsManager applicationACLsManager, Configuration conf) {
|
ApplicationACLsManager applicationACLsManager, Configuration conf) {
|
||||||
super(context, clientToAMSecretManager, scheduler, masterService,
|
super(context, clientToAMSecretManager, scheduler, masterService,
|
||||||
|
@ -342,7 +342,7 @@ public class TestAppManager{
|
||||||
ApplicationMasterService masterService =
|
ApplicationMasterService masterService =
|
||||||
new ApplicationMasterService(rmContext, scheduler);
|
new ApplicationMasterService(rmContext, scheduler);
|
||||||
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
||||||
new ClientToAMSecretManager(), scheduler, masterService,
|
new ClientToAMTokenSecretManagerInRM(), scheduler, masterService,
|
||||||
new ApplicationACLsManager(conf), conf);
|
new ApplicationACLsManager(conf), conf);
|
||||||
|
|
||||||
ApplicationId appID = MockApps.newAppID(1);
|
ApplicationId appID = MockApps.newAppID(1);
|
||||||
|
@ -390,7 +390,7 @@ public class TestAppManager{
|
||||||
ApplicationMasterService masterService =
|
ApplicationMasterService masterService =
|
||||||
new ApplicationMasterService(rmContext, scheduler);
|
new ApplicationMasterService(rmContext, scheduler);
|
||||||
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
||||||
new ClientToAMSecretManager(), scheduler, masterService,
|
new ClientToAMTokenSecretManagerInRM(), scheduler, masterService,
|
||||||
new ApplicationACLsManager(conf), conf);
|
new ApplicationACLsManager(conf), conf);
|
||||||
|
|
||||||
ApplicationId appID = MockApps.newAppID(10);
|
ApplicationId appID = MockApps.newAppID(10);
|
||||||
|
@ -438,7 +438,7 @@ public class TestAppManager{
|
||||||
ApplicationMasterService masterService =
|
ApplicationMasterService masterService =
|
||||||
new ApplicationMasterService(rmContext, scheduler);
|
new ApplicationMasterService(rmContext, scheduler);
|
||||||
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
TestRMAppManager appMonitor = new TestRMAppManager(rmContext,
|
||||||
new ClientToAMSecretManager(), scheduler, masterService,
|
new ClientToAMTokenSecretManagerInRM(), scheduler, masterService,
|
||||||
new ApplicationACLsManager(conf), conf);
|
new ApplicationACLsManager(conf), conf);
|
||||||
|
|
||||||
ApplicationId appID = MockApps.newAppID(0);
|
ApplicationId appID = MockApps.newAppID(0);
|
||||||
|
|
|
@ -22,7 +22,6 @@ import java.util.Map;
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
|
||||||
import org.apache.hadoop.yarn.api.ApplicationConstants;
|
import org.apache.hadoop.yarn.api.ApplicationConstants;
|
||||||
import org.apache.hadoop.yarn.api.ContainerManager;
|
import org.apache.hadoop.yarn.api.ContainerManager;
|
||||||
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusRequest;
|
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusRequest;
|
||||||
|
@ -35,9 +34,6 @@ import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
|
||||||
import org.apache.hadoop.yarn.api.records.ContainerId;
|
import org.apache.hadoop.yarn.api.records.ContainerId;
|
||||||
import org.apache.hadoop.yarn.api.records.ContainerState;
|
import org.apache.hadoop.yarn.api.records.ContainerState;
|
||||||
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
|
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncherEventType;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.amlauncher.ApplicationMasterLauncher;
|
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
|
||||||
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
|
||||||
|
@ -106,40 +102,6 @@ public class TestApplicationMasterLauncher {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static class MockRMWithCustomAMLauncher extends MockRM {
|
|
||||||
|
|
||||||
private final ContainerManager containerManager;
|
|
||||||
|
|
||||||
public MockRMWithCustomAMLauncher(ContainerManager containerManager) {
|
|
||||||
this(new Configuration(), containerManager);
|
|
||||||
}
|
|
||||||
|
|
||||||
public MockRMWithCustomAMLauncher(Configuration conf,
|
|
||||||
ContainerManager containerManager) {
|
|
||||||
super(conf);
|
|
||||||
this.containerManager = containerManager;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
protected ApplicationMasterLauncher createAMLauncher() {
|
|
||||||
return new ApplicationMasterLauncher(super.clientToAMSecretManager,
|
|
||||||
getRMContext()) {
|
|
||||||
@Override
|
|
||||||
protected Runnable createRunnableLauncher(RMAppAttempt application,
|
|
||||||
AMLauncherEventType event) {
|
|
||||||
return new AMLauncher(context, application, event,
|
|
||||||
clientToAMSecretManager, getConfig()) {
|
|
||||||
@Override
|
|
||||||
protected ContainerManager getContainerMgrProxy(
|
|
||||||
ContainerId containerId) {
|
|
||||||
return containerManager;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
}
|
|
||||||
};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testAMLaunchAndCleanup() throws Exception {
|
public void testAMLaunchAndCleanup() throws Exception {
|
||||||
Logger rootLogger = LogManager.getRootLogger();
|
Logger rootLogger = LogManager.getRootLogger();
|
||||||
|
|
|
@ -0,0 +1,315 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.apache.hadoop.yarn.server.resourcemanager.security;
|
||||||
|
|
||||||
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.lang.annotation.Annotation;
|
||||||
|
import java.net.InetSocketAddress;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
|
|
||||||
|
import junit.framework.Assert;
|
||||||
|
|
||||||
|
import org.apache.commons.codec.binary.Base64;
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
|
||||||
|
import org.apache.hadoop.ipc.RPC;
|
||||||
|
import org.apache.hadoop.ipc.Server;
|
||||||
|
import org.apache.hadoop.net.NetUtils;
|
||||||
|
import org.apache.hadoop.security.KerberosInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityInfo;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.token.Token;
|
||||||
|
import org.apache.hadoop.security.token.TokenIdentifier;
|
||||||
|
import org.apache.hadoop.security.token.TokenInfo;
|
||||||
|
import org.apache.hadoop.security.token.TokenSelector;
|
||||||
|
import org.apache.hadoop.yarn.YarnException;
|
||||||
|
import org.apache.hadoop.yarn.api.ApplicationConstants;
|
||||||
|
import org.apache.hadoop.yarn.api.ContainerManager;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportResponse;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusRequest;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusResponse;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerResponse;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerRequest;
|
||||||
|
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerResponse;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationId;
|
||||||
|
import org.apache.hadoop.yarn.api.records.ApplicationReport;
|
||||||
|
import org.apache.hadoop.yarn.event.Dispatcher;
|
||||||
|
import org.apache.hadoop.yarn.event.DrainDispatcher;
|
||||||
|
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
|
||||||
|
import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager;
|
||||||
|
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
|
||||||
|
import org.apache.hadoop.yarn.security.client.ClientTokenSelector;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.MockRMWithCustomAMLauncher;
|
||||||
|
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
|
||||||
|
import org.apache.hadoop.yarn.service.AbstractService;
|
||||||
|
import org.apache.hadoop.yarn.util.BuilderUtils;
|
||||||
|
import org.apache.hadoop.yarn.util.Records;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class TestClientTokens {
|
||||||
|
|
||||||
|
private interface CustomProtocol {
|
||||||
|
public static final long versionID = 1L;
|
||||||
|
|
||||||
|
public void ping();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class CustomSecurityInfo extends SecurityInfo {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public TokenInfo getTokenInfo(Class<?> protocol, Configuration conf) {
|
||||||
|
return new TokenInfo() {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends Annotation> annotationType() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Class<? extends TokenSelector<? extends TokenIdentifier>>
|
||||||
|
value() {
|
||||||
|
return ClientTokenSelector.class;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public KerberosInfo getKerberosInfo(Class<?> protocol, Configuration conf) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
private static class CustomAM extends AbstractService implements
|
||||||
|
CustomProtocol {
|
||||||
|
|
||||||
|
private final ApplicationId appId;
|
||||||
|
private final String secretKey;
|
||||||
|
private InetSocketAddress address;
|
||||||
|
private boolean pinged = false;
|
||||||
|
|
||||||
|
public CustomAM(ApplicationId appId, String secretKeyStr) {
|
||||||
|
super("CustomAM");
|
||||||
|
this.appId = appId;
|
||||||
|
this.secretKey = secretKeyStr;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void ping() {
|
||||||
|
this.pinged = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public synchronized void start() {
|
||||||
|
Configuration conf = getConfig();
|
||||||
|
|
||||||
|
ClientToAMTokenSecretManager secretManager = null;
|
||||||
|
byte[] bytes = Base64.decodeBase64(this.secretKey);
|
||||||
|
secretManager = new ClientToAMTokenSecretManager(this.appId, bytes);
|
||||||
|
Server server;
|
||||||
|
try {
|
||||||
|
server =
|
||||||
|
new RPC.Builder(conf).setProtocol(CustomProtocol.class)
|
||||||
|
.setNumHandlers(1).setSecretManager(secretManager)
|
||||||
|
.setInstance(this).build();
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new YarnException(e);
|
||||||
|
}
|
||||||
|
server.start();
|
||||||
|
this.address = NetUtils.getConnectAddress(server);
|
||||||
|
super.start();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class CustomNM implements ContainerManager {
|
||||||
|
|
||||||
|
public String clientTokensSecret;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public StartContainerResponse startContainer(StartContainerRequest request)
|
||||||
|
throws YarnRemoteException {
|
||||||
|
this.clientTokensSecret =
|
||||||
|
request.getContainerLaunchContext().getEnvironment()
|
||||||
|
.get(ApplicationConstants.APPLICATION_CLIENT_SECRET_ENV_NAME);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public StopContainerResponse stopContainer(StopContainerRequest request)
|
||||||
|
throws YarnRemoteException {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public GetContainerStatusResponse getContainerStatus(
|
||||||
|
GetContainerStatusRequest request) throws YarnRemoteException {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testClientTokens() throws Exception {
|
||||||
|
|
||||||
|
final Configuration conf = new Configuration();
|
||||||
|
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION,
|
||||||
|
"kerberos");
|
||||||
|
UserGroupInformation.setConfiguration(conf);
|
||||||
|
|
||||||
|
CustomNM containerManager = new CustomNM();
|
||||||
|
final DrainDispatcher dispatcher = new DrainDispatcher();
|
||||||
|
|
||||||
|
MockRM rm = new MockRMWithCustomAMLauncher(conf, containerManager) {
|
||||||
|
protected ClientRMService createClientRMService() {
|
||||||
|
return new ClientRMService(this.rmContext, scheduler,
|
||||||
|
this.rmAppManager, this.applicationACLsManager,
|
||||||
|
this.rmDTSecretManager);
|
||||||
|
};
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Dispatcher createDispatcher() {
|
||||||
|
return dispatcher;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void doSecureLogin() throws IOException {
|
||||||
|
}
|
||||||
|
};
|
||||||
|
rm.start();
|
||||||
|
|
||||||
|
// Submit an app
|
||||||
|
RMApp app = rm.submitApp(1024);
|
||||||
|
dispatcher.await();
|
||||||
|
|
||||||
|
// Set up a node.
|
||||||
|
MockNM nm1 = rm.registerNode("localhost:1234", 3072);
|
||||||
|
nm1.nodeHeartbeat(true);
|
||||||
|
dispatcher.await();
|
||||||
|
|
||||||
|
// Get the app-report.
|
||||||
|
GetApplicationReportRequest request =
|
||||||
|
Records.newRecord(GetApplicationReportRequest.class);
|
||||||
|
request.setApplicationId(app.getApplicationId());
|
||||||
|
GetApplicationReportResponse reportResponse =
|
||||||
|
rm.getClientRMService().getApplicationReport(request);
|
||||||
|
ApplicationReport appReport = reportResponse.getApplicationReport();
|
||||||
|
String clientTokenEncoded = appReport.getClientToken();
|
||||||
|
|
||||||
|
// Wait till AM is 'launched'
|
||||||
|
int waitTime = 0;
|
||||||
|
while (containerManager.clientTokensSecret == null && waitTime++ < 20) {
|
||||||
|
Thread.sleep(1000);
|
||||||
|
}
|
||||||
|
Assert.assertNotNull(containerManager.clientTokensSecret);
|
||||||
|
|
||||||
|
// Start the AM with the correct shared-secret.
|
||||||
|
final CustomAM am =
|
||||||
|
new CustomAM(app.getApplicationId(),
|
||||||
|
containerManager.clientTokensSecret);
|
||||||
|
am.init(conf);
|
||||||
|
am.start();
|
||||||
|
|
||||||
|
// Now the real test!
|
||||||
|
// Set up clients to be able to pick up correct tokens.
|
||||||
|
SecurityUtil.setSecurityInfoProviders(new CustomSecurityInfo());
|
||||||
|
|
||||||
|
// Verify denial for unauthenticated user
|
||||||
|
try {
|
||||||
|
CustomProtocol client =
|
||||||
|
(CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, am.address,
|
||||||
|
conf);
|
||||||
|
client.ping();
|
||||||
|
fail("Access by unauthenticated user should fail!!");
|
||||||
|
} catch (Exception e) {
|
||||||
|
Assert.assertFalse(am.pinged);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify denial for a malicious user
|
||||||
|
UserGroupInformation ugi = UserGroupInformation.createRemoteUser("me");
|
||||||
|
Token<ClientTokenIdentifier> clientToken =
|
||||||
|
new Token<ClientTokenIdentifier>();
|
||||||
|
clientToken.decodeFromUrlString(clientTokenEncoded);
|
||||||
|
// RPC layer client expects ip:port as service for tokens
|
||||||
|
SecurityUtil.setTokenService(clientToken, am.address);
|
||||||
|
|
||||||
|
// Malicious user, messes with appId
|
||||||
|
ClientTokenIdentifier maliciousID =
|
||||||
|
new ClientTokenIdentifier(BuilderUtils.newApplicationId(app
|
||||||
|
.getApplicationId().getClusterTimestamp(), 42));
|
||||||
|
|
||||||
|
Token<ClientTokenIdentifier> maliciousToken =
|
||||||
|
new Token<ClientTokenIdentifier>(maliciousID.getBytes(),
|
||||||
|
clientToken.getPassword(), clientToken.getKind(),
|
||||||
|
clientToken.getService());
|
||||||
|
ugi.addToken(maliciousToken);
|
||||||
|
|
||||||
|
try {
|
||||||
|
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws Exception {
|
||||||
|
CustomProtocol client =
|
||||||
|
(CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L,
|
||||||
|
am.address, conf);
|
||||||
|
client.ping();
|
||||||
|
fail("Connection initiation with illegally modified "
|
||||||
|
+ "tokens is expected to fail.");
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} catch (YarnRemoteException e) {
|
||||||
|
fail("Cannot get a YARN remote exception as "
|
||||||
|
+ "it will indicate RPC success");
|
||||||
|
} catch (Exception e) {
|
||||||
|
Assert
|
||||||
|
.assertEquals(java.lang.reflect.UndeclaredThrowableException.class
|
||||||
|
.getCanonicalName(), e.getClass().getCanonicalName());
|
||||||
|
Assert.assertTrue(e
|
||||||
|
.getCause()
|
||||||
|
.getMessage()
|
||||||
|
.contains(
|
||||||
|
"DIGEST-MD5: digest response format violation. "
|
||||||
|
+ "Mismatched response."));
|
||||||
|
Assert.assertFalse(am.pinged);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now for an authenticated user
|
||||||
|
ugi = UserGroupInformation.createRemoteUser("me");
|
||||||
|
ugi.addToken(clientToken);
|
||||||
|
|
||||||
|
ugi.doAs(new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws Exception {
|
||||||
|
CustomProtocol client =
|
||||||
|
(CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, am.address,
|
||||||
|
conf);
|
||||||
|
client.ping();
|
||||||
|
Assert.assertTrue(am.pinged);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in New Issue